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SECTION  A 

Page  6  -  Revised  to  clarify  Pault  Tree  documentation. 

Page  7  -  Revised  to  identify  lA&T  as  Integrating 
Contractor. 

«r 

Page  7ol  -  Added  to  provide  for  Technical  Interchange 
Meetings 

Page  8  -  Revised  to  identify  the  Pault  Trees* 


SECTION  B 

Page  2  and  3  -  Revised  to  correct  scheduling  to  reflect 
associate  contractors  commitments  A/N  letter  63iN/MM  3820 
dated  11  June  1963 »  Subject:  Pault  Tree  Analysis 
Program,  and  Sylvania  Letter  f<!P0Ii-2-4-860  dated  14  June 
1963.,  Subject:  Pault  Tree  Coordination.  Pages  4  and  5 
deleted. 

SECTION  C 

Pages  2  -  Revised  to  clarify  definitions 


^  SECTIli!  1 

Pages*  5<  through-.  6o 2  revised  to  redefine  composition 
of  the  -2  and  -3  volumes. 

All  pages  are  revised  to  reflect  change  in  section 
identification. 

Pages  18  through  44,  Section  1,  added  to  provide 
additional  mathematical  methods. 

Section  F  ’’References"  is  deleted.  The  references 
are  included  in  introductory  pages  of  Section  1* 
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3.1.1 


niTBODIICTIOH 

lettsr  Contract  Aro4(694)-266  requires  that  a  Fault  Tree  Analyses 
>•  prepared  to  determine  the  probabilities  of  Inadvertent  and 
Faulty  Launches  in  the  y/S-133B  V/eapon  System.  This  type  of 
analysis  provides  a  graphic  display  of  fault  sequences  which  can 
Cause  an  unwanted  event  and  a  measure  of  the  system  safety. 

The  determination  of  the  ability  of  a  complex  system  to  provide 
safety  against  an  undesirable  event  is  exceedingly  involved. 

An  orderly  analysis  has  been  prepared  by  the  Bell  Telephone 
Laboratories y  entitled  Launch  Control  Safety  Study  Beoort, 
dated  September  15*  1962  (ref."  l)»  They  introduced  a  concept 
of  Fault  Trees  which,  with  equivalent  Boolean  equations, 
provides  a  technique  particularly  adaptable  to  this  effort. 

^e  trees  graphicilly  illustrate,  in  a  logical  form,  the 
faults  which  might  occur  to  permit  an  undesirable  event. 

Boolean  equations,  which  express  the  fault  relationships, 
offer  mathematical  simplifications  for  calculating  the 
Safety  Constant. 

PURPOSE 

The  purpose  of  the  Fault  Tree  Analysis  Program  is  to: 

(a)  Determine  the  probabilities  of  inadvertent  and  faulty 
launches. 

(b)  Identify  those  failures  which  make  excessive  contribu¬ 
tion  to  (a), 

(c)  Recommend  corrective  measures. 

ORGANIZATION  AND  SCOPE 

The  WS-153B  Fault  Tree  analysis  program  is  organized  into 
three  categories,  each  in  a  volume  of  this  document  as 
follows: 


D2-30207-1 

D2-30207-2 

D2-30207-3 


Program  Plan 

Inadvertent  and  Faulty  Launch  Summary 
Associate  Contractor's  Detail  Analyses 


The  scope  of  the  analysis  is  divided  into  3  divisions. 
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5.1.1. 1 


The  Alert  System 


This  is  the  analysis  of  the  probability  of  I.L,  during  the 
system  life.  It  includes  the  operational  system  during 
the  Strategic  Alert,  Strategic  Standby,  Launch  Commanded, 
and  Launch  in  Process  modes,  the  exercise  of  preparatory 
launch  commands,  and  also  includes  the  probabilities  of 
those  events  which  can  be  caused  by  commanded  program.med 
tests  or  calibration  of  the  system,  and  by  maintenance 
equipment  and  procedures. 


5. 1.1. 2  “Hie  System  Under  Commanded  Tests,  Calibration  and  Interrogations: 

This  is  the  detail  analysis  of  the  probabilities  contributing 
t«  I.L.  during  the  periods  of  commanded  tests  and  calibration. 

It  also  includes  the  interactions  of  commanded  tests  and 
interrogation  of  a  specific  L?  upon  the  overall  system.  It 
excludes  the  effects  of  MGS  connected  to  the  system,  paragraph 
5.1.2. 4. 

5.1.^ i5  *  Assembly  and  Checkout  Equipment 


.  =»■  This  is  the  analysis  of  the  A&CO  equipment  to  determine 
what  unsafe  residual  or  post  test  effects  can  be  left  in 
the  system  by  failures  of  the  test  equipment. 

5.1.1 .4  Maintenance  Ground  Equipment 

This  is  the  analysis  of  maintenance  equinnient  effects  at 
the  LCF, .LF  and  OCCP. 

1.  ,  Analyze  the  maintenance  conditions  which  contribute  to 

those  events  indicated  in  the  analysis  of  the  alert 
system  paragraph  5. 1.2.1. 

2.  Determine  what  unsafe  residual  or  post  maintenance 
effects  can  be  left  in  the  system  by  failure  of  the 
maintenance  equipment. 

5.  Determine  maintenance  equipment  failure  rates  for  the 
modes  of  failure  which  are  needed  for  (1)  and  (2)  above. 

5.1.1  .5  Faulty  Launch  Analysis  -  The  Alert  System 
C' 

It  includes  equipment  malfunctions  and  improper  flight 
instructions  under  operational  and  maintenance  conditions. 


5.2 


D2-50207-1  WS-155B  Fault  Tree  Analysis  Program  Plan 


This  volume  defines  the  Fault  Tree  Analysis  Program  requirements 
and  responsibilities  of  all  contractors  and  establishes  ground 
rules,  formats,  definitions  and  instructions  for  preparing 
fault  tree  analyses. 
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D2-30207-2  WS-133B  FAULT  TSEE  ANALYSIS  -  INADVERTENT  AND  FAULTY 
LAUNCH  SUMMARY 


This  volume  contains  the  V/eapon  System  Summary  Fault  Trees  and 
Analyses  prepared  by  the  Analysis  Integration  Contractor, 

The  contents  of  this  volume  are  shown  below; 

SECTION  lo  GENERAL  -  .. 

Title  Page 

Active  Fags  Record  Page 

Revision  Page 

Table  of  Contents 

References 

Introduction 

Summary 

SECTION  2,  IN.ADVERTSNT  LAUNCH  ANALYSES 
1.0  The  Alert  System 

-  1.1  Functional  Flow  and  Block  Diagrams 

1.2  Fault  Tree 

1.3  Mathematical  Solution 

1.4 .  Recommendations  for  Change 

2,0  The  System  Under  Tests,  Calibration  and  Interrogations 

2.1  Functional  Flow  and  Block  Diagrams 

2.2  Fault  Tree 

2.3  Mathematical  Solution 

2.4  Recommendations  for  Change 

3,0  Assembly  and  Checkout  Equipment 

3.1  Functional  Flow  and  Block  Diagrams 

3.2  Fault  Tree 

3.3  Mathematical  Solution 

3.4  Recommendations  for  Change 

4,0  Maintenance  Ground  Equipment 

4.1  Functional  Flow  and  Block  Diagrams 

4.2  Fault  Tree 

4.3  Mathematical  Solution 

4.4  Recommendations  for  Change 

SECTION  3,  faulty  LAUNCH  ANALYSIS 
1,0  The  Alert  System 

1.1  Functional  Flow  and  Block  Diagrams 

1.2  Fault  Tree 

1.3  Mathematical  Solution 
_  1,4  Recommendations  for  change 
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D2-30207-3  WS-133B  FAULT  TREE  ANALYSIS  -  ASSOCIATE  CONTRACTOR’S 
DETAIL  ANALYSES 


This  volume  contains  the  detailed  Fault  Tree  Analyses  of  each 
Associate  Contractor  as  received  by  the  Integration  Assembly 
and  Test  Contractor  in  support  of  preparation  of  the  System 
Fault  Trees  contained  in  volume  2  of  this  document.  The  contents 
of  this  volume  are  organized  as  follows: 

SECTION  1.  GENERAL 

Title  Page 

Active  Page  Record  Page 
Revision  Page 
■  Table  of  Contents 
References 
Introduction 
Summary 

SECTION  X*  ASSOCIATE  CONTRACTOR* 

*  1.0  Inadvertent  Launch  Analyses 

1.1  The  Alert  System 

1*1.1  Functional  Flow  and  Block  Diagrams 

1.1.2  Fault  Trees 

1.1.3  Mathematical  Calculations 

1.2  xue  System  Under  Tests.  Calibration  and  Interrogatic n 

1.2.1  Functional  Flow  and  Block  Diagrams 

1.2.2  Fault  Trees 

1.2.3  Mathematical  Calcu.lations 

1.3  Assembly  and  Checkout  Equipment 

1.3*1  Functional  Flow  and  Block  Diagrams 

1.3.2  Fault  Trees 

1.3.3  Mathematical  Calculations 

1.4  Maintenance  Ground  Equipment 

1.4.1  Functional  Flow  and  Block  Diagrams 

1.4.2  Fault  Trees 

1.4.3  Mathematical  Calculations 

2,0  Faulty  Launch  Analysis 

2,1  Tlie  Alert  System 

2.1.1  Functional  Flow  and  Block  Diagrams 

2.1.2  Fault  Trees 

2.1.3  Mathematical  Calculations  n 
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3»0  Recommendations  for  Change 
4,0  Supporting  Data 

4.1  Failure  Mode  Analysis 

4.2  Reliability  Data 

•Associate  Contractor  section  numbers  have  been  assigned  as 
follows : 

SECTION  2,  AEROJET  GENERAL 
SECTION  3,  ATJTONETICS 

t. 

SECTION  4,  AVCO 
SECTION  5.  BOEING 
SECTION  6.  HERCULES 
SECTION  7.  SYLVANIA 
SECTION  8,  THIOKOL 

All  Associate  Contractors  shall  submit  their  inputs  on  their  own 
stationary  (8)4"  x  11"  to  11"  x  34/2").  Document,  section  and  page 
nvunbers  shall  be  included  in  the  lower  right-hand  corner  of  each 
page  in  accordance  with  the  following  sample: 


1  Each  Associate  Contractor  shall  use  the  section  number  assigned 
as  shown  in  the  organization  of  contents  above, 

2  Page  numbering  shall  start  with  Page  No.  2.  The  Analysis 
Integration  Contractor  shall  add  the  Section  Title  Page  to 
facilitate  handling  and  incorporation  of  individual  sections 
into  D2-30207-3. 
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CffliraACTORS*  pesponsibilities 


The  responsibilities  of  the  contractors  are  described  as 

follows: 

The  Integrating  Contractor 

4.1.1  It  is  the  prime  responsibility  of  the  Integrating  Contractor 
to  prepare  and  submit  the  final  Weapon  System  Fault  Tree 
Analysis  to  AFBSD, 

4.102  Based  on  the  Weapon  System  Fault  Tree  Analyses,  the  Inte- 
^Tating  Contractor  shall  provide  guidance  to  other  con- 
traclors  and  generate  requirements  for  specific  inputs 
from  them, 

4.103  The  Integrating  Contractor  shall  evaluate  all  detail  Fault 
Tree  inputs  from  other  Contractors  for  compatibility  and 
coordinat*  interface  problems  in  the  analyses, 

4.104  The  Integrating  Contractor  shall  develop  and  maintain 
~  detailed  schedules  for  preparation  and  submittal  of 

Weapon  System  Fault  Tree  Analyses, 

4.1.5  Integrating  Contractor  shall  also  fulfill  rht- 
requirements  of  paragraph  ^.2  below, 

4.1.6  The  Integrating  Contractor  shall  honor  the  proprietary 
rights  of  the  Associate  Contractors'  submitted 
proprietary  data  and  shall  delete  this  material  from 
the  published  submittals  and  reports. 

All  Associate  Contractors 

4.2.1  It  is  the  prime  responsibility  of  each  contractor  to  pre¬ 
pare  detailed  Fault  Tree  Analyses  of  the  equipments  he 
provides, 

4.2.2  All  contractors  shall  submit  their  detail  Fault  Tree 
Analyses,  together  with  other  substantiating  data  (failure 
mode  probability,  worst  case  analyses,  etc.),  to  the 
Integrating  Contractor  for  incorparat;  n  into  the  'v'eapon 
System  Fault  Tree  Analyses  as  outlinea  in  Section  1 
Subsection  3.3  and  scheduled  in  Section  2, 

4.2.3  Each  Contractor  may  initiate  recommendations  for  changes, 
shall  coordinate  them  with  other  Contractors  and  prepare 
submittals  to  AFBSD  for  decision, 

4.2.4  All  contractors  shall  coordinate  their  Fault  Tree  Analysis 
Schedules  with  the  Integrating  Contractor  for  compatibility 
with  the  master  Weapon  System  Fault  Tree  Schedules  of. 
Section  2, 
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4.2.5  All  contractors  shall  subnit  their  inputs  to  Intescrating 
Contractor,  in  accordance  with  approved  schedules,  for 
incorporation  into  quarterly  subnittals  of  the  Veapon 
Systen  Fault  Tree  Analysis  docanentation. 

4.2.6  Material  of  proprietary  nature  subnitted  to  the  InteKrating 
Contractor  shall  be  so  indicated.  This  data  nust  be 
subnitted  as  a  separate  attachnent  of  the  subnittal 

to  perait  its  extraction  without  rework  of  the  resaining 
material. 

Technical  Interchange  (TI)  Meetings 

4.3.1  TI  Meeting  will  be  held  cn  a  ccnthly  basis,  the  third 
Tuesday  of  the  month,  except  as  indicated  in  pararraph 
4.5.2.  Additional  meetings  cay  be  scheduled  on  an 
individual  basis  at  the  request  of  any  Associate. 

4.3.2  The  TI  Meetin^^,  to  be  held  during  the  months  quarterly 
submittals  are  made  to  3>D/STL,  are  to  be  scheduled  on 
the  day  preceding  the  qucu-terly  submittal  meeting  date. 

4.3.3  Announcement  of  the  TI  Meeting  time  and  place  is  the 
responsibility  of  the  Integrating  Contractor  with  the 
concurrence  of  the  other  Associate  Contractors  and 
shall  be  such  that  travel  is  apportioned  on  an  equitable 
basis. 

4.3.4  An  action  item  log  will  be  maintained  by  the  Integrating 
Contractor,  as  an  instrument  cf  coordination,  to 
assure  the  timely  flow  of  data  among  the  Associated, 

4.3.5  Each  action  item  will  be  prepared  by  the  representative 
responsible  for  the  provisions  of  the  data  and  will 
include  a  date  for  the  completion  of  the  action  item, 

4.3.6  Each  Associate  ivill  be  representea  by  personnel 
who  are  knowledgeable  in  the  fault  tree  effort  and 
who  are  prepared  to  commit  a  date  for  the  completion 
of  an  action  item, 

GROUND  RULES 

These  ground  rules  are  supplementary  to  Contractor’s 
Responsibilities  and  define  a  common  approach  for  the 
development  of  Fault  Trees. 

The  Safety  Constant  objectives  for  the  fault  trees  will  be 
tabulated  and  the  values  specified  in  the  appropriate  volumes 
as  shown  typically  below. 
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5.1 


Continued 


Safety  Constant 
Gbiecti’'e 


5.2 

5.3 


5.4 


5.5 


5.6 


5.? 


Fault  Tree 


I.L.  -  Alert  1X10 

Systen, 

including  effects 
of: 

Systea 
Under  Test, 

Calibration 

and  Interrogation  - 


Maintenance 
Bauipaent  - 

Faulty  Launch  1X10 


Ibiit  Tine  ^lesults 


System  Life 
of  Squadron 


Per  Launch 


Iteras  and  symbols  defined  in  Section  5  will  apply 
throughout  these  analyses. 

Fault  Tree  Analysis  vd-ll  be  conducted  similar  to  the  outline 
in  Paragraph  6  and  Section  4  and  5. 


The  transmission  constant  of  the  cable  system  will  be 
applied  as  furnished  by  the  GSS  Contractor.  Ihese  will 
include  noise  and  crosstalk  values  in  the  100  to  5000 
cycles  band  for  normal  and  abnormal  conditions  caused  by 
cable  system  failures. 

Failiures  will  be  assumed  to  occiu'  in  a  random  manner. 

Those  fxuictions  which  are  required  to  operatenormally  to 
transmit  a  fault  will  be  assumed  to  be  operating  properly. 
The  probability  of  their  failure,  which  in  these  instances 
could  block  another  failure  function,  is  disregarded. 

Failure-Rates  and  Mean-Time-Between-Failures  shall  be 
based  upon  Document  DZ-lklyk  (reference  2)  and  Boeing 
Standards  (reference  4)  or  other  Contractors’  equivalent. 
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5.8 


Th*  tine  during  which  a  failure  contributes  to  inadrertent 
launch  is  evaluated  as  follows « 

5.8*1  Failures  which  are  detected  and  repaired  bj  the  nomal 
systen  maintenance  shall  be  considered  to  be  effective 
for  forty-eight  {48)  hourso 

3.8 *2  Failures  which  upon  detection  cause  a  subsystem  shutdown 

shall  be  considered  to  be  effective  until  shutdowno 

5.8»3  Failures  which  are  detectable  by  the  system  periodic 

testing  shall  be  considered  to  be  effective  for  the  period 
between  these  tests  plus  either  the  period  to  shut  down 
or  48  hours,  whichever  applies* 

3*8*4  Failures  which  are  not  subject  to  monitored  system  detec¬ 
tion  shall  be  considered  to  be  effective  for  H' the  maintenance 
pexiodr:  specified  in  the  Forms  C  and  Cl^ 
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Fo^  the  6Titlc«l  circtiits  which  contribute  to  the  evaluation  of  the 
stkely  Constants,  The  Boeing  Co^npany  shall  prepare  circuit  amlyses 
per  Document  D2-10744  -  Mnuteman  Reliability  Directives  5,  6,  7, 
and  8  (Ref  3).  Other  Contractors*  shall  prepare  their  analyses  per 
these  or  equivalent  procedures. 

Functional  flow  and  fault  tree  ^awings  ^hallbe  reduced  to  11" 
hi^  by  a  maximum  of  34^  long  (page  edges;  folds)  for 
inclusion  in  documents, 

I 

The  base  line  for  starting  this  analysis  is  the  system  as  designed, 
properly  connected  and  properly  operated. 

The  fault  tree  development  shall  be  pursued  to  that 

the  probability  of  failure  can  be  readily  substantiated  at  the _ 

lowest  significant  level  of  interface  with  other  branches  (eq\ai^ 

ment). 
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FAUM  TREE  CONSTRUCTIOK 


6.1  The  purpose  of  a  Fault  Tree  Analysis  is  to  identify  events  leading 
to  a  hazardous  condition  and  organize  these  events  in  a  logical 
form  which  lends  itself  to  a  clear  determination  of  sequence  and 
order  of  events  leading  to  a  hazard  and  to  simple  mathematical 
analysis. 

6.2  The  basic  principles  for  setting  up  and  preparing  Fault  Tree 
Analyses  are  given  in  Section  VII  of  the  BTL  Report;  Minute- 
man  Lavinch  Control  System  Safety  Study  Report,  Vol,  I,-  included 
as  Sect.  4  of  this  document. 

6.3  A  Fault  Tree  Analysis  shall  be  divided  into  three  distinct  parts, 

1,  Functional  Flow  Diagram, 

2,..  Fault  Tree, 

3.  Mathematical  Analysis, 

which  are  finally  summed  up  in  the  Safety  Constant,  This  safety 
constant  is  a  numerical  evaluation  of  Safety  for  a  given  Fault 
•Tree  Analysis, 

6.4  The  following  sequence  of  steps  may  be  used  as  a  guideline  in 
accomplishing  Faiilt  Tree  Analyses; 

1.  Determine  methods  of  operation 

2.  Prepare  functional  flow  diagrams 

3.  Develop  appropriate  Fault  Trees 

4.  Determine  circtdt  and  eqxiipment  reliability 

5.  Perform  other  mathematical  analyses  as  necessary  and  calculate 
Safety  Constant. 

6.  Analyze  and  investigate  phenomena  that  would  affect  the  sensitive 
elements  and  show  effect  on  Safety  Constant, 
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6.3  EXAMPLS  OF  FAULT  THSS 

6.3*1  Inadrertent  launch,  defined  for  this  example  as  at  least  silo 
cover  removal  and  first  stage  ignition,  can  be  considered  to 
be  caused  by  three  separate  branches  of  a  fault  tree  as  shown 
in  Figure  1.  Improper  initiation  of  the  proper  terminal  launch 
sequence  (1)  can  be  caused  by  faiilts  at  almost  any  point  in  the 
commsuid  flow;  the  terminal  sequence,  once  initiated,  is  irre¬ 
versible  and  will  certainly  result  in  inadvertent  launch  (sequence 
cancelling  faults  being  ground  ruled  out).  Inadvertent  launch 
can  cilso  result  from  random  critical  failures  (3);  that  is, 
launch  events  occur  not  as  ordered  by  an  improperly  initiated 
sequence,  but  as  caused  by  random  failures  (the  command  flow 
upstream  from  the  DCU  is  not  involved  in  this  branch).  Finally, 
improper  entry  into  the  terminal  launch  sequence  at  other  than 
its  initial  point  could  cause  an  inadvertent  launch  if  random 
failures  have  effectively  completed  the  necessary  steps  in 
-skipped  portion  of  the  sequence  (2)  -  i.e.,  inadvertent  launch 
due  to  interaction  of  (1)  and  (2). 


6.3.2 


6.3.3 


6.3.4 


6.3.5 


A  breakdown  of  the  (1)  branch  of  the  sample  fault  tree  is 
'Shown  in  Figure  2.  Since  the  DCU  controls  (or  is  involved 
in)  all  events  that  must  precede  terminal  sequence  initiation 
as  well  as  controlling  the  terminal  sequence  itself,  it  is 
advantageous  to  separate  (by  branches)  faults  upstream  from 
the  DCU  (11)  from  DCU  faults  (13) t  either  of  which  can  cause 
an  inadvertent  launch.  The  third  (12)  branch  is  needed  to 
account  for  interaction  between  the  (11)  and  (13)  branches. 

The  branching  philoso^y  shown  in  Figures  1  and  2  is  obviously 
not  the  only  philosophy  that  could  be  used;  however,  it  appears 
useful  from  a  bookkeeping  point  of  view  in  that  it  permits  com¬ 
plete,  independent  investigation  of  portions  of  the  total  prior 
to  tangling  with  the  maze  of  total  interactions. 

A  breakdown  of  the  (115)  branch  is  shown  in  Figure  3.  This  sub- 
branch  is  based  on  the  sample  functional  flow  shown  in  Figure  4. 
Note  that  DCU  faults  do  not  appear  in  Figure  3  since  the  (115) 
branch  deals  only  with  non-DCU  faults.  Again,  the  system  is 
apportioned  by  branch,  with  a  '’combination”  branch  to  handle 
Interactions.  At  this  point  in  the  fault  tree  it  is  possible 
to  associate  faults  with  specific  equipments.  Status  system  or 
remedial  action  failure,  shown  generally  in  Figure  3»  is  brought 
In  at  this  point  of  the  tree  since  it  is  at  this  level  that  spe¬ 
cific  fault  status  items  will  usually  be  defined. 

The  Boolean  equation  describing  each  tree  branch  is  shown  6a 
the  figures  depicting  each  sample  bramch. 
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J 


FIGURE  4 


7.  APPLICABLE  MATHEMATICS 

Fault  Tree  analysis  requires  ceareful  mathematical  treatment. 
Logic  gates  for  combining  faults.  Boolean  simplification  to 
properly  compute  the  effects  of  interacting  branches,  and  the 
calculation  of  probability  of  failure  in  a  periodically 
tested  system  h^ve  been  developed  fay  the  Bell  Telephone 
Laboratories.  In  addition  to  the  preceding,  the  development 
of  failure  rate  expression  in  the  constantly  monitored  system 
with  allowance  for  repair  periods  has  been  added  by  Boeing. 

Also  included  in  this  section  are  some  approximations  which 
are  useful  to  reduce  undue  complications  in  the  Boolean 
simplification;  qualification  applying  to  failure  rate  iata; 
the  method  for  performing  the  final  squadron  calculations; 
and  some  notes  on  the  application  of  probability  to  the  non- 
repairable  system  or  short  time  system  modes. 
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APHuICABLE  MATHEMATICS  -  Contd. 


7.1  General 


The  quantitative  conclusion  of  a  fault  tree  analysis  is  numeri¬ 
cally  expressed  as  the  safety  constant-  The  calculations  neces¬ 
sary  to  obtain  it  require: 

(a)  Bie  develojuneat  of  the  Boolean  equations  (Paragraph  7-2) 

(»)  Reliability  and  failure  rate  data  (Paragraph  7*3) 

(c)  Determination  of  failure  rates  and  effective  duration 
+iaies  at  logic  gate  outputs.  (Paragraph  7*^) 

(d)  Elffect  of  ir.teracting  branches  (Paragraph  7-5) 

(•)  Konrepairable  and  short-tine  system  mode  analysis 
(Paragraph  J.6) 

*  (f)  Squadron  and  final  calculations  (Paragraph  7-7) 

7*2  Boolean  Equations 

Section  VII  of  Vol.  1  and  Section  II  of  Vol.  2  of  the  Bell 
Telephone  Laboratory  inadvertent  launch  study  describe  the 
generation  and  simplification  of  Boolean  equations  applicable 
•;o  the  fault  trees.  These  sections  are  Included  as  part  of 
•••.his  document  in  Sections  6  and  7* 

7.3  Failure  Rates 

In  determining  failxn:e  rates  for  parts  and  circuits,  certain 
assumptions  have  been  defined.  !Hiey  are  as  follows: 


7.3.1  Assumption  1 

For  electronic  parts,  assume  a  constant  three  (3)  year  failure 
rate  to  apply  for  the  ten  (lO)  year  period  except  in  the  cases 
where  information  to  the  contrary  is  available. 

^.3.2  Assumoptlon  2 


For  parts  and  ccmrponents  whose  failure  distribution  is  Gaussian, 
convert  to  the  appropriate  constant  failure  rate  distribution 
and  specify  siss  imed  maintenance  intervals.  The  steps  involved 
in  converting  a  Gaussian  distribution  to  an  approximate  equi¬ 
valent  constant  fedlure  x'ate  distribution  are  as  follows: 


(a)  T^termlne,  by  prediction  or  estimation,  the  mean,  (i(), 
and  standard  deviation,  (s)  of  the  Gaussian  (normal) 
failure  distribution. 


(D) 
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(oy  ^7  is  larg«  as  related  to  a,  the  ahape  of  the  normal 
curve  from  t  =  o  to  t  =  x  -  3s  i«  relatively  flat#  The 
failure  rate  over  the  range  t  =  otot=‘!r-3a  can  be 
calculated  by  dividing  the  probability  of  failure  (ares 
under  normal. curve)  over  thia  range  by  the  time  interval 
af  the  range*  Since  the  curve  ia  easentially  flat,  the 
failure  rate  is  approximately  constant* 

(d)  The  approximation  to  a  constant  failure  rate  is  appro¬ 
priate  for  only  the  duration  of  the  interval  used  in 
the  calculation.  However,  if  an  equipment  can  be  re¬ 
stored  to  its  original  operating  condition  by  perfoiming 
■aintenance  at  intervals  equal  to,  or  less  than,  the 
..  ones  used  in  calculating  a  constant  failure  rate,  this 
failure  rate  can  be  applied  to  extended  periods  of  time. 

Assumption  3 


"The  density  function  of  inadvertent  launch  is  uniform  with 
time  when  Assumptions  I  and  II  above  are  utilized  in  calcula¬ 
tions* 
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7.4 


Logie  Gate  Tormulas 


7.4.1 


These  Logie  Gate  formulas  are  applicable  to  the  inadvertent 
launch  calculations  because  they  account  for  failure  duration 
tines.  They  will  not  apply,  except  for  r&A*e  instances,  in 
the  faulty  launch  calculations* 

Coexistence  of  Failures  at  ASD  Gates*  _ _ _  . 

Given  n  repairable  itens*  Let  event  JL,  represent  the  failure 
of  item  1,  event  A_  the  failure  of  item  2,  and  in  general  A. 
the  failure  item  if  Suppose  each  item  i  fails  randomly  witi 
constant  failure  rate  "Xl  »nd  duration  time  'T^  for 
i  =  1,  2,  .  .  o  n  where  -and  are  in  consistent  units. 

Duration  time  is  defined  as  the  time  from  the  occurrence  of 
a  failure  to  the  time  at^hich  it  is  rendered  ineffective* 

The  expression  1  -  e"*  is  the  probability  that  an  item, 
with  constant  failure  rate  X  »  will  fail  in  an  interval 
of  tine  T,  given  that  the  item  was  working  at  the  beginn'ug 
.  of  the  interval* 

Consider  an  interval  of  tine  0  to  T  as  shown  in  Fig*  ? *4.1-1* 


K- 


_H - 

t  t + 


T 


rig.  7.4.1-1 


If  ^£]_i  and  "X4  small  for  i  s  1,  2,  *  .  .  n,  then 

the  probability  that  .  .  .A  coexist  in  the  interval  ■ 

(t,  if  +  dt)  given  thav  they  have  not^coexisted  up  to  time  t 
.is  gix'en  by  the  following  expression* 

dt  (1  -  •’  *  .  .  (1  - 

dt  (1  -  (1  -  .  *  .  (X  . 

♦  7^,  dt  (1  -  ^  ^-'X4Uj  ..*  (1  -  e"^ 


*>v'  f.  -*XlTl>  f.  -“Xn-l^n-lv 

♦  JCl-e  }***(l-o  ) 


=  H  dt 
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This  «xprassion  is  obtained  by  adding  together  the  probab¬ 
ilities  of  each  way  in  which  n  events  can  coexist^for  the 
first  time  in  the  dt  intervale  For  example:  can  happen 

in  the  dt  interval  with  a  probability  of  If  is 

to  coexist  with  in  the  dt  interval*  it  must  occur  some 
time  in  a  'T-  tjme  ^riod  prior  to  t;  the  probability  of 
this  is  (1  ~  tT  If  A.  occurs  before  t  -  '2* 

will  be  repaired  before  it  can'^coexist  with  A^  in  the  dt 
interval*  If  A.  occurs  after  t*  it  will  not  coexist  with 
A-  in  the  particular  dt  interval  under  consideration* 
similarly*  A,  must  occur  in  interval  before  t  with 

a  probability  of  (1  -  e”  ^3  ‘  3)'^in  order  to  coexist  with 
JL  for  the  first  time  in  the  dt  interval,  etc*  The  product 
or  these  probabilities  expresses  their  joint  occurrence 
and  gives  the  first  term  of  the  above  expression* 


Now  let  f(t)  be  the  probability  that  A^*A2«*-**A  have 
not  coexisted  up  to  time.t*  Then  f(t  +  dtf  is  the  proba¬ 
bility  that  A^*  A_*  a  •  o  A  have  not  coexisted  during  the 
.time  period  from  o  to  t  d^;  this  can  a0.so  be  expressed  as 

f(t  ♦  dt)  =  f(t)  (1  -  H  dt) 

where  (1  -  H  dt)  is  the  probability  that  *  •  oA 

do  not  coexist  in  .the  dt  interval*  _  _  * 

How  by  definition*  the  differential  of  f(t)  is  f(t  +  dt)  -  f(t);- 
therefore,  d  f(t)  »  f(t)  (1  -  H  dt)  -  ftt) 

--  -  d  f(t)  a  f(t)  (-  H  dt) 

and 

fTtr  -  -  = « 


Solving  this  differential  equation  by  integration  we  have 


Lvlng 

f<t) 


-  Ht  +  c« 


But  when  t  s  o*  f(t)  a  1*  In  f(t)  x  o  and  therefore  o  a  o 
80  that 


f(t)  a  • 


-  Ht 


The  pn 
daring 


probability  (P  )  that  A^*  A-  *  •  •A 
ng  the  intervaX  T  is  then  given  by  tS 


Ap  *  *  *  A  coexist  at  some  time 
given  by  tfie  following: 


P(A)  a  1  -  f(T)  a  1  >  e 


-  HT 


By  comparing  this  equation  with^the  standard  equation  for 
probability  of  failure  (1  -  e”  ^■*')  one  can  easily  see  that 
E  is  the  failure  rate  for  the  coexistence  of  n  events  or*  in 
other  words*  it  is  the  failure  rate  appearing  at  the  output 
of  an  AND  gate*  From  this  point  on,  therefore,  H  will  be 
replaced. by  (i*e*,  the  failure  rate  for  the  intersection  of  Kl 
failures*)  If  ^4  is  small  for  all  i  from  1  to  n  then  H 
reduces  to  the  following  expression* 
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Tkftref»ref 


o  o  o 

^  “  'T2T3  ••‘’Tfl  +T"iT3  ‘““Tjj  +  •»» 


or 


^  *  1  1  •  1 


irr,  =r, . ...  M  thftnTq  reducoa  to 


It  can  be  observed  that  "To  is  an  essentieil  factor  which 
.  enables  the  transfer  of  failure  rates  through  succeeding 
logic  gates*  ^ 

Failure  Rata  (Xu)  ai  the  Output  of  an  OR  Gate 


Given  an  interval  of  time  Tt  the  probability  (P  )  that  none 
of  the  events  A^»  A^*  •••  occur  in  the  interval  of  time  is 


*^2  *  •  -  A  n  ^ 

•  •*  e 


-  ( Ai  -">2  ^ 

s  e 


The  probability  (P  )  that  any  one  of  the  events  Aj.,  A2»  990  A^ 
occurs  is 

p.  ^  1  ^  j  _  1  ^  ( Al  A2  *.•  ^n)T^ 

o  o 

,•  r-> 

This  shows  that  the  failure  rate  at  the  output  of  an  OR 
gate  (ioSe,  the  failure. rate  for  the  union  of  fedJLures)  la 
the  sum  of  the  input  failure  rates  or 

"Xu  *  Al  ^2  jj  •j'i 

Xffective  Duration  Time  u  )  at  tlie  Output  of  an  OR  Gate# 

r  ■  t  ‘  •. 

Consider  the  logic  configuration  shown  in  Fig*  7.^9^!. 
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Tigo  7.^0 4-1 

By  Boolean  algebra  the  output  of  gate  (1)  ia 
^1  ^+1  ^2  •^n+l  +  ••«  +  Aa  Aq^i* 

-The  failure  rate  for  the  output  of  gate  (1)  is,  therefore, 

<7; 

This  must  be  equal  to  the  failure  rate  obtained  by  combining 
the  output  of  gate  (2),  having  failure  rate  Au  and  effecti- 
Tity  time  'T'u  with  the  failure  rate  and  effectivity  time  of 
event  This  is  expressed  as  follows: 

A u  7^  n+1  ^n+1^  “ 

7^1*^n+l  ^^1  ’n+1^  '•'TvaT^n+l  ^  '2  +0.0 

Substituting  in  the  expression  for7u  we  get 

<  Ai  +  A2  "Xn+l  ^ 

A> 

“^l^n+1.^^  ■*’Xx+l^  ■^^2?^n+l  ^^2  *'^a+l^ 

*Aa7^n.l<ra-r„.l5 

Therefore,  Tu  a  7l  1  *  'X  2  '^2  '*'  *  ~^n  n 

>^1+  7^2  *  •••  n 


th*n  reduces  to 

12  ^  " 

JLs  with'*Ta  t  is  an  essential  factor  which  enables  the 

transfer  of  failure  rates  through  succeeding  logic  gates* 

*  ,  '  .  '  * 

7*^»5  The  foregoing  results  are  summaurized  in  Table  1.  A  general 
proof  of  the  validity  of  these  results  is  given  in  paragraph 
7*4,7*  The  logic  gate  formulas  are  directly  applicable  to 
Boolean  expressions  as  well  as  to  logic  gates* 
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Cosbinlng  Probabilities  with  Failure  ISates  at  Logic  Gates 


7>4o6o1 


In  evaluating  the  fault  trees,  the  need  will  axise  to 
combine  failure  rates  with  probabilities o  example- 

of  this  are  shown  below. 

*  * 

Random  Generation  of  ELC 


7.4.60I.I  Conditions t  . 


U)  Let  A  2*^1  *  2  equipment  failure  rates; 

and  corresponding  fault  durations  of  equipment  failures 
whi-ch  result  in  the  generation,  transmission,  or  receipt 
of  random  bits* 

U)  Let  P  represent  the  probability  that  1  word  length 
of  random  bits  have  the  correct  ELG  format. 


7.4.6. 1.2 


(o)  Let  C  represent  the  period  between  radio  or  cable 
slots  at  a  particular  Launch  facility,  i.e.,  the 
time  for  one  cycle.  C  is  smaller  than  both  and  (  ^ 

(4)  Assume  that  only  one  valid  ELC  can  be  transmitted 
in  a  time  slot.  Assume  ailso  that  P,  ^1^  and 
~}\2.  n^2  small. 

Conclusion: 


The  faixure  rate  for  the  random  generation  of  an  ELC  under 
the  above  conditions  is. 


If  only  one  equipment  failure  is  required,  then  the  failure 
rate  is  - 


-.Th*  effective  duration  of  an  ELC  failure  ('  1  is  lero. 
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Derivations 


Consider  the  interval,  of  time  shown  in  Fig* 


t-x  t-To. 

Fig.  7.4.6<,1.3-1 


tiT, 


By  reasoning  similar  to  that  given  in  Paragraph  7<»^»1* 
the  probability  (P©)  that  and  A2  coexist  with  a  time 
slot  in  which  a  valid  EIXT  is  generated  is 


■  \  at 


re  ^  j  as  ♦  Aj  at 
c 


PS  At  ds 

c 


Where  ^  is  the  number  of  slots  available  for  ELC  genera¬ 
tion  as  a  function  of  position  3* 

From  this  it  can  be  shown  that  the  failure  rate  is 
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Proof  of  Logic  Gate  Foraulas 


Suppose  we  are  given  a  fault  tree  where  only  coexistance 
of  events  is  of  concern  at  each  AND  gate  (i.e.y  the  order 
in  which  events  occur  in  time  is  not  important).  Suppose 
further  the  bottom  elements  of  the  fault  tree  consist  of 
items  which  can  be  assigned  constant  failure  rates  and 
fixed  duration  times  from  the  advent  of  the  failure  to 
the  correction  of  the  failure  (i.e.,  fixed  repair  tines). 

We  proceed  up  the  fault  tree  obtaining  new  X's  and^'s^ 
by  use  of  the  following  formulas.  Suppose  we  have  n  events, 
^1»  ^2  •  “  ®  An  to  be  ANDed  and  suppose  we  have  associated 
with  then  the  failure  rates  Xl,  As  ®  •  •  Xn  and  "effec¬ 
tive  duration  t'mes"  ^1»"X2  »  «  •♦"Yn*  A*  output 

of  the  gate  is  given  by  .  . 

****~^n— 1  *  2  ****^^“2^n  *  *** 

♦  T.  ...T 

c  n  . 

The  n^output  (effective  duration  time  output)  is  given  by 


1  1  .  c  .  1 

'Tl  ^  'Ta  ^  Vn 

Ix  the  n  events  are  to  ba  ORed,  the  A  output  is 


amd  the  'Y  output  is 
?\lTl 

'Xt*  ...  +7va 

we  will  prove  that  the  failure  rate  o^itput  at  any  gate 
in  the  fault  tree  is  correct  when  the  above  formulas  are 
used.  Write  the  output  from  any  logic  gate  as  the  union 
of  n  chains,  £1,^2$  «  .  .  (A  chain  is  a  series  of 
ANDed  events.)  where 


®i  -  *1  n  0  ...  n  ri. 
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C  f  * 


The  A  *8  are 

"  ^J3 1  • '  *  {^b!  '•  -+  •  ‘  ‘  +  I  •  ' 

xp  ,,  pL  X b7 ' "  Xe-u  ("Hj 7 '  '’^fl.-.-i *^ ‘ ' ‘ + 'Ts 7 ■'^Fr) 

Pi  1/  Pa.  consists  of  the  m  +  n  chains  i‘iC>i  Di*"DTn 
rroM  paragraph  7.4.3.  ^  ^  ^ 


Write  I  <3 


X?  ^  A-a 


,har.  'A^-  XaI—  >AL,^'/^^•-^/»!,+■•'+V■■V,,^A^'•T/^« 

Similarly,  write  ^ 


A(S; 


where  ^  ^  |  " TjjI  * 

'  4n»  I 


How  the  ^  output  should  he  .  ■  «  This  is  seen  by 


by  examining  Equation  p  where  the  chains  are  Cj  '  • '  Cn  Pi  • '  '  i 

/  /  / 

By  equation  4,  ^  v  A  ^  o 

%,  -^IgaTg^.  = 

A^l  +  X/5a 

rr  A'^S, 

^(5i  +  7\^'a- 


-f  "X^s 


This  proves  the  'T^  output  of  an  OE  gate  maintains  the 
correct  form  (as  given  by  Equation  5)  whea  Equation  4  is 
applied* 


?*4*7»2  Proof  of  AND  Gate  Formulas 


It  will  now  be  shown  that  the  output  of  an  AND  gate  is  of 

the  correct  form  and  that  the  output  of  the  AND  gate  is 

correct  given  (by  induction) . that  the  A  inputs  are  correct 
and  the  ^’s  are  of  the  form  indicated  by  Equation  5»  We 
are  now  interested  in 
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now 

AB  ^  >A', '  Ab’,  •  Aei,  %]  r^l  .  ■  •  TbI^,^ 

+  AAr  ■••■AA">Br  —  XbL^a:  •••  '^cL 

AB  is  therefore  identical  with  the  nuaerator  of  Equation  7o 
It  follows  that  we  must  now  only  show  that  A  +  2  X/s  =  C 

'•  -'^1 

*''"^oi,V,''-A/>k,(TG;--'%s,%''-'TA;;^,i+'''  +  %,...Tpji_T;;;...T;i| , 


Begrouping  the  above  by  adding  line  one  of  the  above  to 
line  3  and  line  2  to  line  k  (In  general  line  y  would  be 
added  .to  line  Mtn+y  for  y  =  »^  1 '  •.  m4  n  )  ,  it  is  easily 
seen  that  the  result  is  C  *  Ib  remains  to  show  that 
the  failure  rate  from  the  output  of  the  AND  gate  is  cor« 
rect.  This  means  we  must  show  that 

-  C 

But 


by  what  we  Just  proved^ 


7o^»7*3  Generalization 

We  have  shown  that 
for  2  items* 


-  c 


is  the  correct  “T*  formula 


T7'*'T1 
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Interacting  Branches 


When  two  or  more  branches  interact  or,  in  other  words,  when 
a  failure  is  common  to  two  or  more  branches  of  a  fault  tree, 
error  is  induced  into  the  final  probability  number  unless 
the  Boolean  expression  is  simplified.  This  fact  is  noted  in 
Section  5  Page  6«  Vfhen  combining  failure  rates  through  AND 
and  OR  gates  from  the  bottom  of  the  fault  tree  to  the  top, 
careful  inspection  must  be  employed  to  insure  that  no  uncon- 
eervative  error  is  induced  into  the  probability  cailculation. 
A  conservative  error  is  defined  as  an  error  which  makes  the 
final  probability  number  larger  than  it  should  be.  A  dis¬ 
cussion  of  errors  and  remedies  follows. 

7«5.1  OB  Gate  Interaction  Error 

If  two  or  more  branches  with  common  terms  unite  at  an  OR 
gate,  the  induced  error  is  conservative  and  often  insigni¬ 
ficant.  The  general  proof  of  this  is  found  in  paragraph 
*  7.5»^o2o  The  conservative  error  induced  by  common  branches 
at  an  OR  gate  is  not  a  serious  condition;  however,  if 
further  refinement  is  desirable,  the  Boolean  expression 
may  be  obtained  and  simplified  up  to  the  point  at  which 
the  branches  unite. 


7. 5.1.1  Examples:. 


In  both  cases  shown  below,  the  probability  expression  on 
the  left  of  the  inequality  sign  (the  probability  which 
would  be  obtained  by  combining  probabilities  directly 
through  logic  gates)  is  seen  to  be  conservative. 


Unsimplified  -  Simplified 
A  B  AC  w  A  4^  B 

P(A)  +  P(B)  +  P(a)  P(C)>P(A)  +  P(B)  - 

-pCa)  P(B) 


7.5.2 


A  C 

AND  Gate  Interaction  Error 


Unsimplified  -  Simplified 

AB  AC  »  A(B  C)  ' 

]— j^P(A)  P(B)  P(A)P(C)>P{A)|p(B)  +  P(C)  - 

-P(B)  P(C)] 


If  two  or  more  branches  with  common  terms  unite  at  an  AND 
gate,  an  unconservative  error  is  always  induced.  This  is 
proved  in  general  in  paragraph  7»5.^»3o 
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lu  both  cases  shown  below,  the  probability  expression  on 
the  left  of  the  inequality  sign  (the  probability  which  would 
be  ebtained  by  combining  probabilities  directly  through 
logio  gates)  is  seen  to  be  unconservative* 


Unsimplified  —  Simplified 


(1  +  B)  AC  «  AC 


3j  [p(A)  +  P(B)  P(A)P(C)<  P(A)P(C) 


.1  B 


TJnsimplified  -  Simplified 

(A  +  B)  (A  +  C>  =  A  +  BC 

‘+?(A)P(C)+P(A)P(B)+P(B)P(C)<  P(A)  +  P(B)P(C 

-  P(A)P(B)P(C) 


Since  this  condition  results  in  a  final  probability  number 
which  is  smaller  than  it  should  be,  a  remedy  must  be  applied 
to  eliminate  its  effect. 

7* 5*2* 2  Semediest 

7*5*2*2ol  The  AED  gate  interaction  error  can  be  removed  entirely  by 

expressing  the  terms  of  the  interacting  branches  in  Boolean 
form  and  by  simplifying  the  expression.  The  logic  gate 
formulas  can  then  be  applied  directly  to  the  expression 
without  restoring  it  to  fault  tree  form.  The  Boolean  expres¬ 
sion  need  only  be  obtained  up  to  the  logic  gate  at  which  the 
interacting  branches  unite. 

7*^*2*2.2  A  conservative  estimate  of  the  final  probability  number  may 
be  obtained  by  substituting  a  probability  of  unity  into  all 
but  one  of  the  common  terms.  The  unity  probability  should 
be  assigned  first  to  common  terms  at  OR  gates  when  a  choice 
exists*  If  this  remedy  is  applied  to  the  probability  expres¬ 
sion  of  Example  (a)  of  Paragraph  7»5«2.1,  the  following  results 
are  obtained* 


[pCa")  -j-  P(B)]  p(a)  P(C)  <  pCa)  P(C) 

[l  ♦  P(B)]  P(A)  P(C)  >P(A)  P(C) 

P(A)'  P(C)  *  P(A)  P(B)  P(C)>  P(A)  P(C) 
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Similarly,  applying  this  remedy  to  Example  (b)  of  Paragraph 
7o5o2.1,  we  obtain  the  following# 

[P(A)  -K  P(B)]  [?(A)  +  ?(C)]<F(A)  +  P(B)  ?(C)  -  P(A)  ?(B)  ?(C) 

[l  +  P(B)]  [P(A)  ♦  P(C)]  >  P(A)  +  P(B)  P(C)  -  P(A)  P(3)  P(C) 

P(A)  +  F(C)  ♦  P(A)  P(B)  +  P(3)  P(C)  >  P(A)  +  P(B)  P(C)  -  F^PObJ’CO 

7  5.3  Even  though  the  probability  of  a  common  term  may  be  negligible 
with  respect  to  other  probabilities  at  an  OR  gate,  xts  effect 
as  an  interacting  branch  cannot  be  ignored#  For  example, 
sunnose  P(A)  is  negligible  compared  to  PCB)  in  Examples  ta; 
anrCb)  of  Paragraph  70.2.1.  It  can  readily  be  observea 
that  an  unconservative  error  is  induced  if  the  A  term  at  the 
affected  OR  gate  (gate  2)  is  dropped. 

7.5o4  The  foregoing  results  apply  when  combining  failure  rates  through 
■  logic  gates  as  well  as  when  combining  probabilities.  If  the 
methods  of  Paragranh  7.5<=2.2.2  are  used,  the  loUowing  rules 
govern  in  the  combination  of  failure  rates  with  unity  prooa- 
bility: 

7. 5. ^.1  If  failure  rates  are  to  be  combined  with  unity  probability  at 

an  OR  gate,  the  output  of  the  OR  gate  has  a  probability  of 

unity. 

7e5.4o2  If  failure  rates  are  to  be  combined  with  unity  probability 
at  an  AITD  gate,  the  input  with  unity  prooability  is  ignored 
since  it  has  no  effect  at  this  gate. 

7.5.5  Proof  of  the  Effect  of  Interacting  Branches  at  a  Logic  Gate. 

7.5.5. !  Preliminary  Information 

Any  branch  of  a  fault  tree  may  be  represented  as  a  union 
•  «  ox  chains.  A  chain  is  defined  as  an  intersection  of  one 

or  more  events.  For  example,  suppose  a  branch  of  the  fault 
tree  hais  the  following  Boolean  equation. 

[(E  +  S)  t]  [n  ♦  V  (W  +  XY)J  +  Z 

Shis  equation  can  be  reduced  to 

ETN  +  BTVW  +  RTVXY  +  STN  +  3TVW  +,smi  ♦  Z, 

which  is  a'  union  of  seven  chains.  In  the  discussion  to 
follow,  the  Boolean  symbols  U  and  0  will  be  used  in 
place  of  +  and  x  respectively  for  the  sake  of  clarity.  The 
above  equation  can  then  be  expressed  in  the  following  form. 


2-51«2-2 
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where  K^  =  BTIT,  K^  =  5T7W,  K^  =  STTflY*  ;etCo 


How  suppose  we  wish  to  factor  the  comnon  event  E  from  each 
of  the  terras  of  the  above  expresaiono  We  can  write  it  as 
follows t 


7  7  3 

U  s.  =  U  E.  u  B  n  U 

i=l  ±n4  ^  j=l  ^ 

where  =  TH,  =  T7W  and  =  TVXTo 

7*5«5o2  Interacting  Branches  Unite  at  an  OH  Gate 

Let  A  represent  an  event  which  is  common  to  more  than 
one  branch  of  a  fault  tree*  Consider  the  logic  gate  at 
which  cwo  or  more  interacting  branches  unite©  Since  all 
inputs  of  a  logic  gate  can  be  combined  two  at  a  time,  the 
case  of  two  branches  into  a  logic  gate  need  only  be  con¬ 
sidered*  Let  the  two  input  branches  be  labeled  events  3 
and  C* 


Representing  B  and  C  as  unions  of  chains  as  above,  we  get 
the  followings 


la  n 

B=U  D  oAdUb. 

g=l  ®  i=l  ^ 


F.  u  A 


r 


These  equations  express  the  fact  that  the  common  term  A  is 
contained  in  some  chains  and  not  in  others* 


If  the  two  interacting  branches  unite  at  an  OE  gate,  the 
Boolean  expression  is 
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Applying  probability  as  if  the  terms  were  mutually  exclusive 
(a  good  conservative  approximation  when  probabilities  are 
small)  we  get 


P  (BUG)  =  ^  POO  +  X  Z  P(SO  P(G.  )  = 

g=l  ®  j=l  ^  [±=1  ^  k=l  _ 

This  is  equal  to  the  probability  [p(C)  +  P(D)J  which  would 
be  obtained  by  combining  probabilities  through  logic  gates* 

Suppose  ne^t  that  3  has  the  following  formt 


B  =  O  15  U  A 


Then  all  A  n  0^  terms  drop  out  of  C  and 


BUC=0D  U  Au  0F 
g=l  ® 


Applying  probability  as  above  we  get 


Ul 

P(B  U  C)  =  X  P(D  )  +  P(A)  +  P(P.). 


The  probability  which  would  be  obtained  by  combining  proba¬ 
bilities  through  logic  gates[p(B)  +  PCcQis 

m_  p  r 

P(B)  +  P(C)  =  X  T  +  P(A)  +  X  ♦  PCA)  Z  PCG,,) 

g=l  ®  j=l  ^  k=l  ^ 

r 

P(3)  P(C)  =  P(B  u  C)  +  P(A)  ^  P(G^) 
therefore, 


tvf 


P(B)  P(C)  ^  P(B  o  Cj 

Hence,  the  probability  obtained  by  combining  probabilities 
through  logic  gates  is  either  correct  or  conservative  for 
interacting  branches  which  unite  at  an  OH  gate* 
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7*5*5»5  Interacting  Branches  Unite  at  an  AND  Gate 
If 


■7  a 


K.=  U  D  u  A  n  U  \ 
g=l  i=l  ^ 


U  U  A  o  U  \ 
j=l  ^  k=l  ^ 


then 


Bnc=ijD  nl^rjUAnUa^n  Ud 

’  g=l  ®  j=l  ^  El  *  s=l  ® 


A  0  U  E  n  U  F  U  An  U  \  ^  U 

i=l  j=l  J  k=l  ^  i=l  ^ 


Applying  probability  assuming  mutually  exclusive  events »  we 
get 

■*  /> 

n  p  r  K 

P(B  n  C)  =  X  )  X  P(F.)  ♦  P(A)  21  P(Q.  )  21  ) 


j' 


k=l  g=l  ^ 


g=l  '*  j=l 
n  p 

<•  P(A)  X  PCs.)  X  P(F.)  +  P(A>  X  P(Su.)  2  P(2,) 
‘  i=l  j=l  J  k=i  ^  i=l  ^ 


n 


By  combining  probabilities  through  logic  gates  we  would  get 


P<B)  P(C)  = 


m  n 

X  ■*■  2  P(E,) 

Si  2  *ti  i 


X  pCfJ  -*■  f(a)  X  ^ 

j=l  ^  .  fc=3.  ^ 


J 


m 


«  X  )  X  +  p{A)  X  p(0  X  '> 

g=l  ®  j=l  ^  k=l  ^  g=l  S 


n 


P(A)  X  P(B^)  X  |P(A)1  ^  X  P(BJ  X  HOL  ) 

■1=’!  ■';j=l  ^  i=l  ^  lc=l  ^ 


P(B)  P(C)  and  P(B  n  C)  sure  equivalent  except  for  the  last 
terms* 
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[pCA.)]  '  X  i 

k=l  ial 


P(A)  X  P(0  X  P(BJ 
^  ■  it=l  ^  i=l  * 


therefore, 

P(B)  P(C)  <  P(B  n  C) 

That  is,  the  probability  obtained  by  combining  the  probabilities 
of  two  interacting  branches  at  an  AND  gate  is  unconservative* 


1 


{ 
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5osrep*iir^l<5  and  Short-time  System  Mode  AcsQysis 


7.6.1 


7.6.2 


During  the  missile  flight  or  while  the  system  is  in  a  test  mods, 
the  effective  duration  time  of  a  failiure  (T)  is  that  length  of 
time  which  begins  with  the  event  of  failxire  and  ends  at  the  close 
of  the  test  mode  or  end  of  flight.  Since  this  length  of  time  depends 
upon  the  particular  event  rather  than  upon  a  predictable  repair 
time,  the  method  of  calculation  applicable  to  inadvertent 

launch  is  not  applicable  to  the  faulty  launch  or  test  mode  analysis. 
The  faulty  launch  tree  is  concerned  with  short-time  modes  and  flight 
events  and  a  straight-forward  probability  analysis  on  a  "per  launch" 
basis  should  be  used.  Similarly,  the  liortions  of  a  fault  tree  con¬ 
cerning  the  system  in  a  test  mode  or  other  short-time  mode  should 
be  treated  on  a  "per  teat"  probability  beais . 

"And"  Gates  f  ~ _ ^  \ 


In  general,  P^  ....P^.  Since  any  requirement  for  event 

sequences  will  tend  to  reduce  the  overall  probability,  the 


preceding  expression  is  conservative. 


7.6.3 


Each  of  the  input  probabilities  must  be  expressed  on  the  same  basis 
(i.e.;  "per  test",  or  "per  launch",  etc.)  and  the  resultant 
probability  will  be  in  the  same  units. 

"Or”  Gates  S. 


In  general  P  =  (Probabilities  of  all 

combinations^.  A^isefuUy  consiarvative  estimate  is  P  =  P,+P +...+P 
where  P^«  1.  u  1  2  n 

Each  of  the  input  probabilities  must  be  expressed  on  the  same  basis 
(i.e.:  "per  test",  or  "per  launch",  etc.)  and  the  resultant 
probability  will  be  in  the  same  units. 

7.6.4  Conservative  Estimates 

For  either  type  of  gate,  decision  should  be  made  on  an  individual 
basis  as  to  whether  to  use  the  preceding,  conservative  probability 
expressions  or  mote  nearly  exact  expressions. 

7.6.5  In  the  acquisition  of  fundamental  data,  as  failure  rates,  for 
calculation  in  a  fault  tree,  events  may  be  characterized  by 

a  failure  rate  (^)  and  duration  time  {T)  or  by  a  probability 
for  a  specified  time  or  number  of  cycles. 

For  the  faulty  lavinch  tree  which  is  to  be  handled  on  a  probability 
basis,  data  which  is  acquired  as  a  failure  rate  is  converced  to 
a  probability  by  multiplying  Xby  the  length  of  time  of  the 
mode  where  ^  is  in  terms  of  failures  per  hour.  When  X  is  given 
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7.6.5 


Continved 


in  terms  of  failures  per  cycle,  then  X  multiplied  by  the 
number  of  cycles  in  ttie  mode  is  the  probability  of  failure. 

For  the  inadvertent  launch  tree  where  calculation  is  done  on 
a  (  X  ♦  'T  )  basis,  data  which  is  acquired  as  a  probability 
of  failure  per  cycle  or  per  hour  must  be  incorporated  in  the 
mathematical  treatment  of  the  tree,  t/here  the  cyclical 
probability  of  failure  for  an  event  is  given,  an  estimated  A 
in  failures  per  hour  may  be  derived  by  multiplying  the 
cyclical  probability  by  the  estimated  number  of  cycles  per 
hour.  'V  is  determined  as  the  duration  time  of  the  failure. 
Where  one  event  characterized  by  a  probability  acts  as  a 
moderator  (at  an  "and"  gate)  of  an  event  characterized  by  a 
X  and  a  Y  y  the  output  of  the  gate  may  be  represented  by 
the  product  of  the  input  probability  and  the  input  failure 
rate  which  is  interpreted  as  the  output  failure  rate,  and 
7^ output  =  7^  input. 


t 
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Final  Calculations 


7.7.1  System  Safety  Constants 

The  system  fault  trees  may  be  separated  into  two  categories: 
a  system  tree(s)  dealing  vrith  faulty  launch  and  a  system 
tree(s)  dealing  with  inadvertent  launch.  For  the  weapon  system 
there  is  a  probability  of  inadvertent  launch  during  the  system 
life  (inadvertent  launch  safety  constant)  and  a  probability  of 
faulty  launch  during  the  system  use  (faulty  launch  safety 
constant.)  Tne  determination  of  these  constants  is  the  goal 
of  the  mathematical  treatment  of  the  fault  trees. 

7.7.2  Squadron  Calculations 

All  calculations  in  a  fault  tree  should  be  based  upon  failures 
which  affect  a  specific  latirch  facility.  For  the  inadvertent 
launch  tree,  the  final  failure  rate  (or  prooability  of  failure) 
should  then  be  multiplied  by  50  to  obtain  the  applicable 
■  failure  rate  (or  probability  of  failure)  for  a  squadron. 

For  the  faulty  launch  tree,  the  final  failure  rate  (or 
probability  of  failure)  is  expressed  on  a  ‘'per  launch" 
basis.  (Reference  ) 


7.7.3 


Inadvertent  Launch  Safety  Constant 


The  inadvertent  launch  safety  constant,  (S.C.)^  ^  ,  is 
composed  of  contributions  both  from  long-tei^  owfating 
events  (characterized  by  a  failure  race  Xaad  diu'ation 
•'ime  Y  )  and  from  short  bime  test  events  represented  by  a 
p.'obability  figure. 


Use  of  the  logic  gate  formulas  provides  a  single  failiire 
rate  (  X )  inadvertent  launch  at  the  top  of  those  tree 
branches  derived  from  long-term  events.  To  determine  the 
contribution  of  such  a  branch  to  the  overall  inadvertent 
launch  safety  constant  for  a  squadron  over  any  period  of 
time  (  'J’),  the  following  formula  is  used:  SOXT 

( 5.C  )  -  J  -  e 

which  reduces  to 

(  i.c.  )  =  50  XT 


when 


S 0  "XT'  is  small. 


Those  branches  of  the  tree  representing  short-time  test  events 
provide  a  single  probability  of  failure  for  inadvertent  launch 
per  branch.  Such  a  probability  may  be  determined  either  on  an 
event  basis  or  on  a  time  basis.  Probabilities  on  a  "per  event" 
basis,  when  multiplied  by  the  nunber  of  events  in  time  T,  yield 
the  contribution  to  inadvertent  launch  by  such  branches.  If 
the  test  event  contribution  is  determined  on  a  time  basis  rather 


7.7.3 


Continued 


7.7,4 


than  an  event  basis,  then  the  probability  per  hour  for  a 
squadron  is  converted  to  the  squadron  probability  contri¬ 
bution  to  inadvertent  launch  for  such  branches  for  t^'rae  T’ 
by  the  following  formula:  ^ 

(sc.)^  =  j  -{j 

which  reduces  to: 

when  T(  S.C~)j  is  small. 

Hie  resultant  probabilities  from  the  short-time  event  branches 
of  the  tree  added  to  the  /\“derived  portions  of  the  inadvertent 
launch  safety  constant  yields -the  overall  (S.C.)^  ^  per  squadron 
for  the  system  life. 

Faulty  Launch  Safety  Constant 

The  faulty  launch  safety  constant  (S.C.)^  is  composed  of 
probability  contributions  from  both  pre-fli-ht  and  flight 
events. 

Use  of  the  probability  formulas  for  the  flight  events  of  the 
missile  results  in  a  probability  of  faulty  launch  per  missile 
which  is  the  faulty  launch  safety  constant  contribu’r' on  due 
to  the  flight  analysis.  Short  time  events  which  contrioute  to 
faulty  launch  prior  to  flight  initiation  yield  a  probability 
contribution  to  (3.C.)^  on  a  "per  event"  or  "per  unit  time" 
basis.  Probabilities  oh  a  "per  event"  basis,  when  multiplied 
by  the  number  of  events  prior  to  launch,  form  the  contribution 
of  such  branches  to  (S.C.)_  ^ 

For  test  event  contributions  to  (S.C.)^  ^  determined  on  a  time 
basis  rather  than  an  event  basis,  the  pr^ability  per  hour  for 
a  missile  is  converted  to  the  missile  probability-  for  any 
time  T by  the  following  formula:  ^  rp 


(  s.c.)^=  1  -  [l 
(  's.c.)^  =  T (  s. c. 

is  small. 

The  resultant  probabilities  from  the  pre-flight  events 
added  to  the  flight  event  contribution  form  the  overall 
(S.C.)„  T  missile  for  the  missile  life. 


which  reduces  to 


when 
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SECTION 


DOCUMEHT  (D2-30207-1) 


DEFINITIONS  OF  TFBMS 


'  Th*  following  is  a  list  of  terms  and  symbols  defined  for  use 
in  this  document  (D2-30207)*  It  does  not  necessarily  apply 
to  the  Bell  Telephone  Laboratories  material  reprinted  is 
Sections  and  STo 

An  "Inadvertent  Launch”  is  defined  as  an  unwanted  launch 
(first  stage  igniticn)  of  a  missile  at  the  tactical  site 
caused  by  one  or  more  faults©  The  silo  cover  is  operated 
to  OPEN.  The  destination  or  successful  firing  of  succeed¬ 
ing  stages  is  not  relevant.  .  •  ' 

•  .  ■  '  ^  T.  »  *  •  ‘ 

-  A  "Faulty  Launch”  is  an  authorized  launch  which  malfunctions 
-  to  result  in  impact  of  an  armed  warhead  outside  of  the  area 
'  specified  in  AF*  BSD.  62-123©  ‘ 

"Safety”  is  defined  as  freedom  from  the  potential  or  actual 
occurrence  of  undesired^  unscheduled  or  out  of  sequence  evento 
which  jeopardize  life^  heailth  or  property. 

■V  .  * 

A  "Safety  Item”  is  a  deficiency  in  the  design ^  proceduree  or 
operations  which  will  generate  a  Hazard. 

A  ”Hazard”  is  a  condition  which  will  lead  to  a  potential  or 
actual  occurrence  of  undesired  or  out  of  sequence  events 
♦which  jeopardize  life,  health,  property,  and  the  interna¬ 
tional  relations  of  the  United  States© 

The  "Safety  Constant”  is  the  probability  for  a  specified 
period  of  time  of  the  occurrence  of  a  defined  undesired, 

.  unscheduled  or  out  of  sequence  event  which  jeopardizes  life, 
health  or  property©  -  • 

A  ”Pault”  is  a  malfunction  within  the  system©  It  includes 
the  "Failure”  of  circuits  and  equipment  to  perform  due  to 
'  any  cause,  excluding  human  intervention©  . 

>-  The  "Effective  Duration  Period”  of  a  failure  is  the  time 
from  the  occurrence  of  a  failure  to  its  correction,  to 
shutdown,  or  to  safing  of  tae  affected  launch  facilitiea 
dt' missiles©  ,  -  .  .....  •. 
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Q 

D 


O 

<?> 

Q 

A 

0 


A  logteai  ANT)  relation. 


A  logical  OR  relation 


An  «eent,  usually  a  malconaitlon,  descrlbable  In  functional  te*nss. 


An  event,  usually  a  malfunction,  dracrilable  in  terms  «  a  specific 
circuit  or  component.  It  Is  represented  by  the  symbol  X  wllfi  a 
numerical  subscript. 

An  event  not  dc. eloped  further  Nrrauae  of  lack  of  information  or 
because  of  lack  of  su'flolent  ecnse<}uence.  It  Is  represented  by 
the  symbol  W  with  a  numerical  subscript. 


An  event  that  Is  normally  expected  to  occur. 


A  eonnectinj;  symbol  to  another  part  o<  fault  tree  within  the  same 
major  branch.  It  Is  repreecnled  by  the  symbol  Y  with  a  numerical 
cubecrlpt. 

A  connecting  symbol  to  another  part  of  fault  tree  In  a  different 
major  branch  (such  as  an  Interconnection  between  the  P/0  and  OPE 
branches).  It  Is  represented  by  the  symbol  Z  with  a  numerleal  sub¬ 
script. 

A  probeblitty  of  failure  *hlr''_  titough  a  numerical  value  can  be 
assigned.  Is  sufficiently  sm.)U  to  be  neglected  In  the  context  shenrn, 

A  probability  of  (allure  which  cannot  be  assigned  s  numerical  value 
but  Is  considered  to  be  exceedingly  small  and  Is  assumed  to  be  rero. 
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INTRODUCTION 


1.1  The  following  pages  of  this  seccion  are  a  reprint  of  Section  VII 
of  the  Bell  Telephone  La  boi  a  Lories*  La-unch  Control  Safety  Study 
dated  Septeiaber  15,  1962,  Ibis'  reprint  describes  the  fault  tree 
concept  and  ne,tho^  for  development;  and  construction.  Although 

it  was  prepared  for"*  tlie  W3-133A  sysoem,  the  methods  are  applicable 
to  the  WS-133?  system.  Its  references  are  to  other  Sections  of 
;_tbe^^i|^6ty  ^tudy  which  are  not  included  in  this  document. 

1.2  ? ’Boeing  ■document  pagd  numbers'  are  added' to'^facilitate  the  handling 

...  and  release  of. this  section,  .  *  '  ^  ‘  ‘I, 
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METHOD  OF  INADVERTENT- LAUNCH  ANALYSIS 


1.  INTRODUCTION 

TtM  Uak  of  the  study  was  an  examination  ol  a  complex  data  transmission  and 
processing  system,  called  a  Launch  Control  System  (LCS),  In  order  to  determine 
its  ability  to  provide  safety  against  an  Inadvertent,  1.  e. ,  accidental,  Launch  (IL). 
to  particular,  It  required  an  identification  of  those  elements  of  the  LCS  In  which  a 
failure  significantly  Increased  the  probability  of  IL. 

The  "fault  tree"  concept  wan  devised  to  carry  out  this  task.  The  fault  tree  serves, 
Ofst  of  all,  to  Identify  the  events,  usually  undeslred,  that  contribute  to  an  IL.  U 
then  relates  these  events,  logically,  1'.  order  to  show  which  events  must  exist  at 
the  same  time  and  which  are  required  on  an  ”elther-or”  basis. 

Aner  fault  trees  are  prepared  for  the  ma|or  parts  of  the  LCS,  the  next  step  Is  to 
determine  the  probability  of  occurrence  of  the  significant  failures  and  ihence  the 
probability  of  occurrence  of  IL  In  a  given  time  Interval.  In  performing  this  step, 
the  nujor  contributors  to  an  IL  appear.  In  order  to  accomplish  this  step  In  the 
analysis.  It  is  desirable  to  prepare  Boolean  expressions  that  are  equivalent  to  the 
fault  tree  and  which  nake  it  possible  to  take  account  of  multiple  appearances  of  the 
same  failures  In  the  several  branches  of  the  tree,  as  well  as  the  appropriate  fault- 
deteetton  features. 

Both  of  these  steps  in  the  IL  analysts  are  described  In  this  section  c(  the  report, 
a.  THE  FAULT-TREE  CONCEPT 

Tbs  concept  of  a  fault  tree  can  be  illustrated  by  applying  It  to  a  simple  and  fa¬ 
miliar  system.  Figure  7-l3  shows  a  domestic  hot-water  system.  The  problem 
Is  to  determine  Its  euscepttblllty  to  malfunctioning  tn  a  catastrophic  way  —  In  this 
ease,  rupture  of  the  hot-water  tank.  A  fault  tree  ts  drawn  (Figure  7-lb)  that  Identi¬ 
fies  the  malfunctlone  (hat  can  contribute  to  a  rupture  and  that  relates  these  logically. 

If  svent  B  (temperature-measuring  device  falls  to  actuate  controller),  or  event  C 
(controller  falls  to  actuate  gas  valves),  or  event  D  (gas  valve  (alls  to  close)  should 
occur,  heal  will  be  applied  continuously  to  the  water  In  the  tank.  II  this  happens 
and  event  A  (relief  valve  falls  to  ii/i)  has  occurred,  the  pressure  will  not  be  relieved 
as  Intended  but  will  continue  to  rise  until  the  tank  eventually  ruptures  (event  F). 

The  Boolean  expression  for  the  fault  tree  ts  F  •  A  (B  ♦  C  ♦  D),  which  states  that  F 
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is  trja  If  A  tmd  (B  or  C  Q)  true.  Note  that  the  fault  tree  .asutneo  that  the 
remainder  of  the  87stem  tunctloaa  properly  bo  that  the  check  ralve  and  the  hot-water 
faucet  do  not  permit  flow  o<u  a(  the  tank.  The  mallunctioa  of  elther-to  an  open  condl- 
tloo  would  negate  erent  F.  The  fault  tree  can  be  developed  further  for  events  A 
throu^  D  tn  terms  of  the  parts  making  up  the  device  referred  to  In  each  event.  11 
failure  rates  for  the  parts  wore  known,  the  probability  of  event  F  occurring  in  a 
given  period  of  time  could  be  caic-.tlptcni  The  calculation  would  have  to  account  for 
tha  fact  that,  as  a  practical  matter,  event  F  Is  more  likely  to  occur  11  event  A  has 
occurred  prior  to  event  B,  C,  or  D.  If  B,  C,  or  D  occurs  and  the  relief  valve  works 
properly,  flooding  of  the  basement  would  provide  warning  of  the  malfunction  In  the 
gas  control  loop,  which  presumably  would  lead  to  manual  shutdown  and  repair 

3.  EXPLANATION  OF  LAUNCH  CONTROL  SYSTEM  FAULT  TREE 

foult  tree  for  the  Mlnuteman  LCS  Is  the  same  In  principle  as  that  for  the 
Simple  system  just  described,  though  It  Is,  of  course,  far  more  complex.  Figure 
7-3  summarizes  the  symbols  used  in  the  various  fault  trees.  (F'.g'-.'cs  7-2  through 
7-6  appear  at  Ine  end  of  this  section.)  The  top  of  the  LCS  fault  tree  is  shown  In 
Figure  7-3.  The  fault  tree  serves,  first  of  all,  to  Identify  the  events,  usual’y  u'l- 
dsstred,  that  contribute  to  an  IL.  The  fault  tree  then  relates  these  events  logically, 
using  distinctive  shape  symbols  (or  "AND"  and  "OR"  In  relating  events.  It  should 
be  noted  that  in  order  for  an  IL  to  take  place.  It  Is  necessary  that  the  re<)ulred  events 
or  malcondltlons  coexist.  It  Is  not  necessary  that  the  occurrence  of  these  events  bo 
simultaneous. 

The  development  of  the  relation  of  events  proceeds  from  those  descrlbable  In 
functional  terms  to  those  that  pertain  to  a  specific  basic  circuit  or  component  or  to 
a  specific  code  group.  For  Instance,  Ip  the  Launch  Enable  System  (LES)  branch, 
the  functional  event  of  having  the  Safety  Control  Switch  (SCS)  armed  Is  the  result  of 
any  one  of  three  subevents.  Two  of  these  are  again  functional  statements  that  re¬ 
quire  further  tree  development,  and  the  other  Is  an  event  that  pertains  to  a  particu¬ 
lar  component,  namely,  the  (allure  of  a  specific  relay  to  the  ARld  condition.  Events 
of  a  functional  nature  are  noted  In  a  rectangular  box,  or.  In  special  cases  discussed 
below,  in  a  hexagon,  while  events  that  concern  epecUlc  circuits  or  components  are 
ebown  tn  a  circle. 

The  fault  tree  for  IL  has  three  major  branches.  The  Programmer  Group  (P/G) 
branch  Includes,  as  well  as  the  P/G  equipment  IibcU,  the  arm  ordnance  and  Ignition 
circuits  to  their  terminal  squibs  in  or  near  the  missile,  and  anything  else  acting 
directly  upon  the  missile  propellant  charges,  but  it  excludes  the  SCS.  The  second 
branch  of  the  tree  Is  for  the  Data  Processing  Equipment  (DPE),  the  top  event  of 
this  tree  being  the  operation  of  the  Command  Signals  Decoder  (CSD)  switch.  The 

-#6 
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tMnl  tiui}or  branch  la  for  tho  ISS,  with  the  top  etent  bero  being  the  arming  of 

tfe9  Eca. 

In  tuklltloa  to  the  above,  fault  trees  have  been  developed  for  several  of  the  crltl- 
eal  electromechanical  devices  that  are  used  In  the  LC3,  for  the  formation  of  code 
groupe,  and  for  the  Status  Reporting  System  and  power  subsystems.  Though  mal- 
functlona  In  the  Status  Reporting  System  do  nf  contribute  directly  to  ’L,  they  can 
prevent  the  detection  of  malconditlons  In  tlie  In-line  equipment,  thus  permitting 
them  to  persist  lor  extended  periods  of  f,n,'e. 

4.  DEraonON  OF  INADVERTENT  LAUNCH 

For  purposes  of  the  study,  IL  is  defined  as  an  event  charac'^rixed  by  Ignition  of 
the  first  stage  of  the  missile.  This  event  may  be  divided  Into  classes,  according 
to  what  occurs  or  does  not  occur  within  the  Laoncti  Facility  (LF)  and  missl.’e  In 
addition  to  first-stage  Ignition.  It  is  useful  to  define  three  ebsses,  as  follows: 

tn-Sllo  Explosion 

This  consists  of  flrsl-ntage  ignition  and  not  buncher  closure  remo''aJL. 

b.  Smrt  Launch 

This  consists  of  flrat-sUge  Ignition  and  buncher  closure  removal  and  not  one 
or  more  of  the  other  actions  essential  to  a  proper  bunch  sequence. 

c.  Critical  Launch 

This  consists  of  first-stage  ignition  sund  buncher  closure  removal  all  of  the 
other  actions  essentbl  to  a  proper  LAU.NCH  sequence. 

The  different  branches  of  the  fault  tree  arc  bused  In  favor  of  one  or  another  of 
the  classes  of  IL  as  defined  above.  The  P/G  branch  Is  heavily  bbsed  In  favor  of  an 
In-SUo  Explosion,  with  the  prolublllty  being  less  for  a  Sliort  luunch  and  much  less 
for  a  Critical  Launch.  The  DPE  branch  Is  blamed  abnost  completely  In  favor  of  a 
Critical  Launch,  since  (he  P/G  would  be  expected  to  function  rormally  once  the 
CSD  switch  has  operated,  assumtng  the  SCS  armed,  and  the  normal  LAUNCH  se¬ 
quence  would  occur.  The  LES  branch  lo  not  bbsed  one  way  or  the  other,  SCS 
ARMED  being  a  necessary  condition  lor  any  bunch  except  those  generated  by  'he 
Nosxte  Control  'Jnlts  (NCU's)  or  within  Ihe  explosive  train  ItscU 

8.  PROGRAMMER  GROUP  FAULT  TREE 

Section  UI  of  Volume  2  presents  the  complete  development  of  the  fault  tree  for 
P/0.  This  Includes,  as  well  as  tho  P/G  Itself,  the  ordnance  and  arming  circuits 
to  their  terminal  squibs  In  or  nour  the  missile,  Uc;  sxcludss  the  GC8.  f^lrthe^,  It 
tneludee  any  malconditlons  that  act  directly  upon  the  explosive  train  and  propelbnt 
of  the  mlsalle  downstream  from  the  ignition  ^iqutba.  For  Instance,  as  shown  In 
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7t{ur«  7*3,  If  (1)  power  should  be  applied  to  one  or  more  of  the  Nell’s  through  maJ- 
tttQCUoQ  of  the  P/Q,  and  If  (2)  the  heat  generated  U  sufficient  to  Ignite  one  of  the 
stages,  an  IL  of  the  In-Sllo  'Explosion  class  will  occur.  As  a  practical  matter, 
tt  does  not  matter  in  this  particular  case  which  stage  Ignites  first.  In  an  In-Sllo 
Explosion  It  can  be  expected  tl.at  all  stages  wlU  be  ignited  within  a  short  time  once 
any  one  of  them  has  ignited.  It  nhould  be  noted  hat  the  second  and  third  stages  of 
the  missile  were  specifically  excluded  from  the  study  under  the  terms  of  the  con¬ 
tract.  The  NCU's  for  these  stages  are  Included  here  only  because  their  elfects 
closely  parallel  those  of  the  first-stage  NCU's,  and  because  their  relations  with  t.hc 
P/G  closely  parallel  those  of  the  ftrat-otage  NCU's. 

In  the  fault  tree  for  the  P/G,  two  mulcondltlons  must  coexist  <n  order  to  get  an 
output  irora  the  lault  tree.  These  are  s.'town  In  Figure  7-3.  The  first  malcondltlon 
ia  an  fgnltor  No.  1  or  an  Ignitor  No.  2  firing  signal  sent  by  the  P^G  The  second 
tnalcondltloi  Is  an  Arm  Ordnance  signal  sent  by  the  P/G  or  Ignitor  Safe  and  Arm 
(SfiA)  device  falling  armed,  or  relay  v-5  in  the  Si  A  module  f.allln'’  closed  The 
last  event  .s  shown  in  a  circle  in  that  It  Is  a  cialfunctlon  describable  :n  terms  of  a 
specific  component.  The  Ignitor  SSiA  device  falling  armed  Is  noted  In  a  hexagon. 
Indicating  that  a  fault  tree  has  been  developed  separately  for  this  particular  electro- 
mec.hanical  device.  The  other  events,  being  describable  in  functional  terms  and 
requiring  furth*  r  development,  arc  shown  tn  rectangles. 

The  event  "Ignitor  No.  I  firing  slipial  tent  by  P/G"  will  be  developed  here  .s 
an  Illustration  of  the  fault-tree  method.  Figure  7-4  Is  the  logic  block  diagram  for 
th*  part  of  the  system  under  consideration.  This  s^ows  the  circuit  modules  that 
generate  the  firing  signals  to  Ignitor  No.  1  and  Ignitor  No.  2  of  the  first  stage.  It 
also  shows  the  final  gate  In  the  logic  chain  that  triggers  the  modules  and  the  con¬ 
tacts  of  the  Launch  Enable  Switch  iLESW)  through  which  the  firing  signals  pass. 

Tb«  fault  trees  for  Ignitor  No.  1  and  Ignitor  No.  2  are  identical  In  form,  and  that 
for  Ignitor  No.  1  only  is  given  tn  Figure  7-5  Its  development  Is  detailed  below. 

a.  An  electrical  signal  to  Ignitor  No  1  requires  both  firing  of  the  Sjulb  Driver 
(an  3P3-5)  and  a  path  through  (or  around)  the  LESW  to  get  the  slj.ial  to  the 
missile;  hence,  AND  g.*ie  A  Is  required. 

b.  In  the  left-hand  branch,  a  signal  path  will  exist  If  either  the  LESW  cor.tact  Is 
In  the  LAUNCH  position  or  if  Test  Load  -  Type  2  (TL-^)  Is  shorted;  'lence, 

OR  gate  B  Is  required. 

e.  LESW  contact  No.  21 1  will  be  In  the  LAUNCH  position  if  either  the  Individual 
contact  shorts  or  If  the  switch  Is  driven  to  LAUNCH;  hence.  OR  gate  C  Is 
required. 

d.  The  Inadvertent  driving  of  the  LESW  involves  a  different  set  of  gates  and  will 
not  be  developed  here. 
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e.  In  the  right-hand  branch,  an  SPS-5  firing  signal  can  be  achieved  only  if  both 
Squib  Driver  (SD)  power  is  on  ^  the  SPS-5  triggered  (AND  gate  D).  The 
SPS-5  is  an  SD  circuit  using  a  Silicon  Controlled  Rectifier  (SCR)  as  a  switch. 
'Phe  SPS-5  driver  circuit  cannot  fail  in  such  a  way  as  to  provide  squib  firing 
current  without  driver  power  being  applied.  The  Driver  Power  On  branch 
will  not  be  developed  here. 

L  The  SPS-5  either  may  be  self-triggered  o£  may  be  triggered  by  receiving  a 
driving  signal  from  the  preceding  stage  (OR  gate  E). 

g.  The  Power  Buffer  Amplifier  —  Type  1  (SA-1)  will  provide  a  driving  signal  to 
the  SD  if  either  it  fails  so  as  to  produce  an  output  or  it  receives  a  driving 
signal  from  the  preceding  stage  (OR  gate  F). 

h.  Magnetic  gate  t3T>e  M-3  (M-3)  will  produce  an  output  if  either  the  gate  mal¬ 
functions  so  as  to  produce  an  output  or  if  the  correct  input  conditions  are 
achieved  (OR  gate  G). 

i.  Both  a  gate  malfunction  such  as  to  produce  a  logical  "1"  or  "true"'  output  from 
the  magnetic  core  and  an  INTERLOCK  signal  to  turn  on  the  transisior  output 
amplifier,  which  is  a  part  of  the  M-3  module,  are  required  to  obtain  an  out¬ 
put  from  the  circuit  module  if  the  correct  input  conditions  are  not  m.et  (AND 
gate  H).  The  INTERLOCK  signal  generation  will  not  be  developed  here. 

j.  The  input  conditions  required  to  yield  an  output  (AND  gate  I),  assuming  proper 
operation  of  the  M-3  module,  are: 

1.  The  presence  of  an  LI  signal  (a  P/G  generated  LAUNCH  signal) 

2.  The  absence  of  a  First-Stage  Engine  Timer  inhibit  signal,  which  is  equiv¬ 

alent  to  saying  that  a  First-Stage  Engine  Timer  signal  appears  to  have 
been  generated,  and  i  • 

3.  The  absence  of  an  Ordnance  Armed  Inhibit  signal,  which  is  equivalent  to 
saying  that  the  ordnance  devices  appear  to  be  armed, 

4.  The  presence  of  an  INTERLOCK  signal  to  turn  on  the  transistor  output 

V  , 

amplifier.  '  ■  .  . 

The  INTERLOCK  PRESENT  condition  is  the  output  of  an  OR  gate,  cince  either 
a  CSD  INTERLOCK  signal  or  a  TEST* INTERLOCK  signal  will  turn  on  the  transistor 
output  amplifier.  This  is  not  shown  in  Figure  7-5  nor  is  the-  generation  of  the  other 
input  signals.  The  complete  development. willbe  fbUnd  in  Section  HI  of  Volume  2. 

6.  DATA  PROCESSING  EQUIPMENT  FAULT  TREE  /  ■ 

'.1-  ■  ■  •  .  •  ‘  *  1  ■ 
•  v'  . ' '  ,  •  .  . 

The  fault  tree  for  the  DPS  was  developed  in  a  manner  similar  to  that  described 
for  the  P/G.  The  logic  diagrams  for  the-DPE  were'Studled'in  orde:  to  identify  and- 
relate  In  fault-tree  form  those  events  that  contribute IL,  As  shown  in  Figure  7-3, 
the  top  event  of  the  tree  is  the  operation  of  the  CSD  switch.  This  may  be  caused  by 
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either  jrf  two  erenU,  <^raL«on  by  fsllaree  Intern^  to  the  CSD  tuell,  or  opentlon 
by  having  the  proper  code  read  Into  the  CSD.  The  latter  in  turn  rcqulrea  that  ail 
of  three  condltlceia  coexist.  First,  the  proper  code  muet  be  In  the  Fire  Code  (FC) 
store  of  LEU  No.  J.  Second,  the  FC  gate  muet  be  enableo,  and  third,  FC  shift 
ptilsea  must  be  received.  Each  of  these  ev*-t8  requires  turther  fault  tree  develop- 
toont,  chlch  la  presented  luUy  In  Section  IV  o'  Volume  2. 

The  DPE  fault  tree  shows  a  number  of  hexagon  symbols,  Indicating  that  these 
•vents  are  developed  further  In  additional  fault  trees.  One  case  Is  In  the  operation 
of  the  CSD  by  a  (allure  within  the  device  Itself.  The  sev-n  other  cases  ccr.cem  the 
formation  of  particular  code  groups;  namely,  the  18-blt  FC,  the  "sync"  group,  aral 
the  five  Launch  Control  Center  (LCC)  addressor  codes.  E»u;i  such  event  Is  Identi¬ 
fied  by  the  oymbol  Z  "Ith  a  numerical  subscript. 

1.  LAUNCH  ENABi,E  SYSTEM  FAULT  TREE 

The  LES  was  added  to  the  LCS  as  a  part  of  Block  Change  No.  1.  The  purpose 
was  to  increase  protection  against  IL  and  to  provide  selective  control  of  the  firing 
of  Individual  missiles.  It  was  designed  to  be  a  rAIL-AR.M  system  In  order  not  to 
Increase  t.he  vulnerability  to  enemv  action  of  the  Mlnutcman  squadron.  As  a  con¬ 
sequence  there  are  many  malcondltions,  any  one  of  which  occurring  will  result  in 
the  brmlng  of  the  SCS,  which  is  the  top  event  of  the  fault  tree  for  the  LES  This 
circumstance  is  reflected  in  the  predominance  of  OR  gates  In  the  tree. 

As  afiowTi  In  Figure  T-J,  either  of  three  conditions  may  cause  the  top  event  — 
arming  of  the  SCS  —  to  occur.  These  are  a  failure  Internal  to  the  SCS,  a  failure 
of  relay  K-2  in  the  Sole  and  Arm  Module  of  the  Main  Junction  Box  to  the  open  slate, 
or  the  condition  where  the  output  relay  In  the  3400-cp8  detector  Is  not  closed.  The 
last  condition  requires  further  fault-tree  development,  which  Is  presented  fully  In 
Section  V  of  Volume  2.  Arming  of  the  SCS  by  Inlema!  failure,  shown  In  a  hexagon 
symbol,  le  considered  In  Section  XU  of  Volume  2. 

«,  SUPPLEMENTARY  FAULT  TREES 

U  addtUoo  to  the  three  major  fault  trees  described  above,  (here  have  been  fault 
developed  In  several  other  areae  of  special  tntsrsst  as  discussed  below. 

ft-  Status  System  Fault  Tree.  Section  VI  of  Volume  2  develops  the  fault  tree  for 
«be  Status  System.  This  system  Is  relevant  to  the  IL  problem  because  U 
Informs  (he  operator  of  the  existence  of  faulty  conditions  In  the  DPE  and  P/G 
equipment  at  the  LF's.  If  the  Status  System  falls  to  provide  such  Indications, 
the  faulty  condition,  once  having  occurred,  wlU  be  allowed  to  persist  for  a 
prolonged  period  of  time. 
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TIm  atatua  Wtcation  of  the  8CS  la  a  good  example  of  the  above  point.  Ttie 
OSMntor  U  provided  vith  an  ARMED  light  at  the  LCC  when  the  SCS  has  ieit 
the  SAFE  poaltioa,  provided  tliat  the  Status  System  Is  functioning  properly. 

B  certain  particular  malfunctions  or  combinations  thereof  have  occurred  in 
the  Status  System,  as  shown  on  the  fault  tree  for  this  system,  the  ARMED 
Ucht  at  the  console  will  fail  to  illuminate  so  that  any  one  of  a  number  of  mal¬ 
functions  in  the  LES  tlat  results  in  the  arming  of  the  SCS  will  go  undetected 
for  a  prolonged  period  of  time. 

b.  Electromechanicai  Device  Fault  Trees.  Section  XU  of  Volume  2  contains  the 
fault  trees  for  the  critical  electromechanical  devices  that  are  u.sed  in  the  i/"?. 
These  devices  are  the  CSD,  SCS,  SiA  devices,  LESW,  and  the  Volatile  De¬ 
coder  of  the  DPE.  Fault  trees  are  developed  separately  foi  these  devices  be¬ 
cause  ol  their  mechanical  aspects  and  the  critical  function  that  they  perform 
In  the  LCS.  The  outputs  of  the  fault  trees  for  these  devlcea  appear  as  Inputs 
at  appropriate  places  In  t.he  P/G,  DPE,  and  LES  fault  trees.  They  are  identi¬ 
fied  by  a  Z  symbol,  with  a  numerical  subscript,  enclosed  In  a  hexagon. 

C.  Fliult  Tree  For  Code-Group  Formation.  Section  X  of  Volume  2  uses  the  fault- 
tree  method  in  order  to  Identify  and  relate  the  conditions  necessary  for  the 
formation  of  code  groups  in  the  cable  pbnt  When  Puodlfl'd  by  the  probabiltty 
of  having  a  particular  code  group  formed,  the  cutputs  of  such  a  tree  can  be 
used  as  Inputs  to  the  appropri.ate  places  in  the  fault  tree  (or  the  DPE.  Sbeh 
Inputs  are  also  identified  by  a  7.  symbol,  with  a  numerical  subscript,  en¬ 
closed  in  a  hexagon. 

d.  Power  Subsystems  Fault  Tree  Though  this  Is  developed  as  a  part  of  the 
LES  fault  tree  In  Section  V  of  Volume  2,  It  Is  of  Interest  in  other  respec's 
•a  well,  such  as  In  preventing  an  LCF  from  Initiating  an  INHIBIT  message 
vhes  operating  procedures  call  tor  it. 

».  QUANTITATIVE  ANALYSIS  OF  INADVERTENT  LAUNCH  PROBABILITY 

Conceivable  causes  of  IL  in  the  LCS  were  reviewed  In  Section  VI  to  determine 
wMeb  had  the  greateet  significance.  Component  part  (allures  wore  particularly 
•IgnUtcant,  so  that  the  relevant  circuits  and  electromechanical  devices  which  ap¬ 
peared  on  the  fault  trees  were  analyzed  to  determine  insofar  as  possible  their  nu- 
cnerical  rates  of  (allure.  In  addition,  a  group  of  tlio  causes  revlev/ed  were  found 
to  be  significant  In  the  generation  of  undeslred  codes  tn  the  cable  system.  Their 
effects  were  also  analyzed  and  the  numerical  probabilities  of  occurrence  determined 
for  the  formation  of  particular  code  groups  of  interest.  It  now  remains  to  apply 
the  reeults  of  thess  analyses  to  the  (suit  trees  in  order  to  evaluate  quan'ltatlvely 
tbe  susceptibility  of  various  parts  of  the  LCS  to  IL.  Before  this  task  becomes 
manageable,  there  are  eeverai  iacturn  to  be  considered. 
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a.  Factors  To  Be  Conaldered 

(1)  Simplification.  The  first  factor  is  that  the  fault  tree  can  be  simplified  im¬ 
mediately  to  some  extent  by  disregarding  two  types  of  malconditions.  The  first  is  a 
malcondition  that  has  a  probability  of  occurrence  which,  though  a  numerical  vame 
can  be  assigned,  is  sufficiently  small  to  be  neglected  in  the  context  in  which  it  ap¬ 
pears.  The  symbol  6  denotes  this  value  of  probability.  For  example,  If  there  are 
three  inputs  to  an  OR  gate  and  the  probability  oi  one  of  these  Inputs  being  true  is 
very  small  compared  to  the  probabilities  of  the  other  two  inputs  being  true,  then  it 
is  a  valid  simplification  to  ignore  the  first  input.  The  second  type  of  malcondition 
that  permits  simplification  of  the  fault  tree  is  one  that  has  a  probability  of  failure 
which  cannot  be  assigned  an  exact  value  but  which  is  judged  to  be  exceedingly  small 
so  that  it  can  be  assumed  to  be  zero.  The  symbol  e  is  used  to  denote  this  value  of 
probability.  For  instance,  if  there  are  three  inputs  to  a  given  AND  gate,  one  of 
which  has  a  probability  of  e  of  becoming  true,  then  the  output  of  this  gate  can  be 
considered  as  having  a  probability  of  e  of  becoming  true,  and  the  entire  branch  up 
to  and  hicludLng  the  AND  can  be  ignored; 

(2)  Interconnections.  The  second  factor  that  must  be  considered  is  that  there 
are  interconnections  that  appear  in  intermediate  areas  of  some  of  the  fault  trees. 

An  example  of  this  appears  in  Figure  7-6,  which  shows  a  simplified  fault  tree  for 
the  P/G  if’  the  STRATEGIC  ALERT  mode.  The  basic  events  in  this  tree  have  been 
designated  with  the  letters  A  through  H  in  order  to  permit  a  description  here  nf  the 
principles  involved  in  manipulating  fault  trees.  In  the  left  branch  of  this  tree  there 
are  two  intermediate  events  developed,  and  Yg.  (Yj  is  the  input  to  the  top  gate 
from  the  left  branch,  but  it  appears  as  well  at  three  places  in  the  middle  brancli  of 
the  tree  and  at  one  place  in  the  right  branch;  Yg  appears  once  in  the  middle  branch 
and  once  in  the  right  branch. )  Given  the  probabilities  of  the  basic  events  A  through 
H  occurring,  the  problem  is  to  calculate  the  probability  of  the  output  of  Gate  No.  1 
being  true,  taking  into  account  the  cross-connections  represented  by  Yj  and  Y2. 

(3)  Fault-Detection  Features  of  LCS.  The  third  factor  that  must  be  considered 
Is  the  effect  of  the  various  fault-detection  features  within  the  LCS.  Such  features 
include  the  status  indications,  the  Alarm  and  No-Go  indications,  and  the  automatic 
shutdown  provisions,  for  the  various  modes  of  operation  such  as  STRATEGIC  ALERT, 
TEST,  and  CALIBRATE.  The  fault-detection  features  must  be  taken  into  account  in 
estimating  the  probabilities  of  IL  because  of  their  effe„ts  on  the  expected  duration  of 
the  in-line  malconditions  that  they  sense. 

The  characteristics  of  the  fault-detection  features  that  are  of  particular  interest 
are: 

»  \ 

(a)  Frequency  of  Operation.  Some  fault-detection  features,  such  as  the  ARMED 
status  Indication  and  the  Critical  Error  (CE)  circuitry  of  the  DPE,  operate 
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Coetimiously.  A  (ftuh  should  b»  noted  Immediately  upon  occurrence.  Other  fault- 
detectioc  features  operate  only  at  discrete  times,  such  as  during  a  SensitlTo  Com- 
ssjand  Network  Test  (8CNT)  or  a  TEST. 

Effect  of  Detecting  a  Fault.  Information  on  some  faults  is  displayed  on  the 
LCC,  while  Information  on  others  la  registered  with  the  Voice  Reporting  Signal  As- 
aombly  (VRSA),  with  only  a  gross  FAULT  lpdlu.Uon  showing  at  the  LCC.  Selected 

auch  as  CE*8  In  the  DPE,  have  an  additional  effect  in  producing  a  No-Go  con¬ 
dition  at  the  LF. 

(e)  Reliability  of  Fault  Detection  Path.  U  a  failure  should  occur  in  the  fault- 
detection  path,  then  the  duration  of  the  In- line  maliunctlon  will  be  extended,  perhaps 
Indefinitely, 

b.  Boolean  Expressions 

In  order  to  accommodate  the  (actors  listed  above,  U  Is  very  useful  to  develop 
a  Boolean  expression  that  describes  the  fault  tree.  Through  proper  algebraic  man¬ 
ipulation,  multiple  connections  drop  out  and  the  fault-tree  output  can  be  expressed 
In  terms  cf  the  basic  mnlcondltlons.  Moreover,  the  terms  ol  the  final  expression 
can  be  gTouped  In  whatever  manner  is  most  convenient  to  allow  lor  fault-detection 
features. 

Before  proceeding  further  U  may  be  useful  to  discuss  Boolean  algebra  briefly 
This  algebra  was  first  concol/ed  by  George  Boole  and  presented  In  his  book  entitled, 
"An  Investigation  of  the  Laws  of  Thought,"  published  In  London  in  1854.  (Boolean 
algebra  la  related  to  symboUc  logic,  algebra  of  classes,  calculus  of  propositions, 
algebra  <’f  logic,  and  switching  algebra. )  Unlike  ordinary  algebra.  Boolean  algebra 
deals  with  variables  that  are  permitted  to  assume  only  two  dUlereni  values  De¬ 
pending  on  the  type  of  problem  being  treated,  a  Boolean  varUble  might  have  «he 
values;  on  or  off,  good  or  bad,  something  or  nothing,  true  or  false,  yes  or  no, 

<^n  or  closed,  present  or  absent,  etc.  For  a  generalized  mathematical  approach, 

11  is  convenient  to  assign  0  and  1  as  the  two  possible  values  of  the  variable  and.  In 
turn,  to  let  the  0  and  1  represent  the  two  possibilities  of  a  particular  problem.'  In 
the  case  of  the  fault  tree,  0  represents  false  and  1  repreoents  true,  with  respect  to 
a  given  malcondltlon  that  appears  in  the  fault  tree. 

The  baalc  operations  moat  commonly  used  In  Boolean  aigsbra  are  a  epee  la'  form 
of  negation,  a  special  form  of  addition,  and  a  special  form  ol  muUtpUcallon.  The 
^Ul  form  of  negation  used  is  symbolUed  with  an  overllne,  as  5,  or  with  a  prime, 
afi  a*,  and  may  be  read  as  "not  a"  or  as  "a  prime. "  FunciionaUy.  the  operation  may 
ba  written  as  NOT  (a)  -  a'.  Since  only  two  variable  values  are  permissible.  If  a  . 

I,  then  a'  «  0,  end  If  a  -  0,  then  a’  •  1. 
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The  special  form  of  addition  employed  is  symbolized  by  a  plus  sign,  as  a  +  b, 
and  may  be  read  as  "a  plus  b."  The  expression  signifies  a  "mixing"  or  "inclusive 
OR"  process  and  Is  also  read  as  "a  OR  b."  Functionally,  OR  (a,  b)  =  a  +  b. 

The  special  form  of  multiplication  used  is  symbolized  like  a  product  in  ordinary 
algebra,  as  a  •  b,  a(b),  a  x  b,  or  simply  ab.  It  may  be  read  as  "a  times  b"  or  just 
"ab,"  The  product  indicates  a  "coincidence"  or  "ANDing"  process,  and  it  Is  also 
read  as  "a  AND  b."  Functionally,  AND  (a,  b)  =  ab.  Unlike  a  product  in  ordinary 
algebra,  ab  =  1  if,  and  only  if,  both  a  =  1  and  b  =  1. 

Table  7-1  shows  some  of  the  fundamental  Identities  of  Boolean  algebra  that  are 
relevant  to  the  remainder  of  this  discussion. 

A  typical  example  of  the  development  of  a  Boolean  expression  for  a  fault  tree 
will  now  be  described.  Figure  7-6  shows  the  simplified  fault  tree  for  a  part  of  the 
P/G  in  the  STRATEGIC  ALERT  mode.  The  numbers  within  the  logic  gates  denote 
the  output  variable  of  that  gate  in  the  Boolean  expressions.  The  letters  A  through  H 
denote  basic  events,  usually  malconditions  describable  in  terms  of  a  specific  circuit 
or  component.  The  symbols  Yj  and  Yg  are  intermediate  events  that  appear  at  more 


'  Table  7-1 

FUNDAMENTAL  IDENTITIES  OF 
BOOLEAN  ALGEBRA 


Title 


Identity 


Elementary  Propositions 


Associative  Law 


Commutative  Law 

1...  r.’t’ 


Dlstributlve  Law.*'  i  j 


a  +  a'  =  1 
aa‘  =  0 
a  +  1  =  1 
a  •  1  *  a 
a  +  a  =  a 
aji  =  a 
a”  =  a’ 


(a  '  c  *  '  •  it  V  c.i 
■'<  atbcj 

t  +  b  -  b  -f  .. 

ab  • 

»  • 

> 

t(b  +  -•  ??.■  *  3-: 

a  +  be.  -■  (a  '  r '  +  c.'- 
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V.  4  ,K*  f^iit  twe  TSh.  output,  of  Cot®.  No*,  1.  *.  «.  »«*  1° 

nrr:.r-r..~j;  -  •“ 

fiwlttreototbopliyalciasyatani.  An  axproBSloo  tor  um _ 

term*  of  th<,  te*lc  .Y«pt*  A  through  H  wlU  now  bo  de.olopod- 
Btarting  at  th«  bottom  of  the  left  branch 
04)  «.  C  ♦  0 
yor  cooTenlooea  lot 

dM-Vj-C  +  D 

03)-V3-4E-C  +  D*E 

(la)  -  B  +  c 

01)  ”  (12)  •  (13) 


Sibstitutlng 

01)  -  (B  ♦  C)  (C  ■•■  D  ♦  E) 

DlBtrlbuUng 

01)  •>  BC  ♦  BD  ♦  BE  ♦  CC  ♦  CB  ♦  CE 

Prom  the  elementary  propoeltlooe  of  Boolean  algebra 
c  .  C  -  C  •  c  •  1 

Orouplng,  commutating,  and  distributing  „  r,  r 

C.1+CB  +  CD  +  CE-C0'B  +  11*®)“'^ 

Subetltutlng  and  distributing 

OD  •  c  +  B(D  ♦  E) 

00)  •  A  -r  (II)  ■  A  +  C  4.  B{t>  ■*•  E) 

Pop  convenience  let 

00)  ■  Yj  -  A  »  C  ♦  B(D  +  E) 

<T/>4ny  to  tbo  middle  branch 

{0)-Yj4y, 

(8)  ■  a  •  (fl)  -  G(yx  ♦  Yj) 

(7)  -  7  .  (9)  -  F{Yj  ♦  Yj) 

(8)  -  Yj  •  (8)  -  YjO{Yj  ♦  Y,) 

Omuantatlng  and  distributing 

<8)  -  OYjYj  ♦  GYjYj 

As  before  «  »  w  t 

Yj.  Yj-Tj-Yj.  X 

guballtutlng  and  distributing 

(9)  ■  OY|  •  X  ♦  GYjYg 

•  OTjO  ♦  Yj) 
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,  ^  Pftj’o  1.. 


Stmilariy 


,  {5>»T, -fO -T^yOTj  +  Tj) 

■  orfj 

W-(8)*{8) 

-  yVj  ♦  OYj 

o  Tj(F  ♦  Q) 

Ootttg  to  the  right  br»oeh 

{S)-Tj^Trj 

<8)  -  H  .  <3)  -  B(Y^  ♦  Yj) 

Brtfigins  the  three  brtutchea  together 

a)  -  ao) .  (H) .  t2) 

-  YjYj(r  ♦  G)  HOfj  ♦  Yj) 

Reducing  In  the  sane  manner  as  for  function  (6)  above 

a)  -  H(P  +  G)  Yj 

SubetituUng 

(l)-H{F  +  G]fA  +  C  +  B(D  +  E)] 

Thus,  the  output  of  the  simplified  fault  tree  used  in  this  example  can  be  expressed 
entirely  ns  n  function  o(  the  basic  events.  All  basic  events  appear  in  the  expression, 
and  each  appears  only  once.  This  permits  a  quantitative  estimate  of  the  probability 
of  occurrence  of  the  top  event  In  the  fault  tree  {1.  e. ,  the  output  ol  Cate  No.  1  In 
Figure  7-8),  If  the  probabilities  of  occurrence  of  the  basic  evente  are  known.  The 
next  section  will  discuss  these  probabilities  for  significant  elements  In  the  IL  fault 
trees. 


-«8- 


So. 

3«a 


Egj.WO?-) 
•  M  Page 


1^ 


< 


.  ^ 
o 

) 

! 


A  It^cal  AND  relation. 


A  logical  OR  relation 


An  event,  usually  a  malccndltlon,  describable  in  functional  terms. 

‘‘V* 

An  event,  usually  a  malfunction,  describable  in  terms  of  a  specific 
circuit  or  component.  It  is  represented  by  the  symbol  X  with  a 
numerical  subscript. 

An  event  not  developed  further  because  of  lack  of  information  or 
because  of  lack  of  sufficient  consequence,  it  is  represented  by 
the  symbol  W  with  a  numerical  subscript. 


An  event  that  Is  normally  erqiected  to  occur. 


A  connecting  symbol  to  another  part  of  fault  tree  within  the  same 
major  branch.  It  is  represented  by  the  symbol  Y  with  a  numerical 
subscript. 

A  connecting  symbol  to  another  part  Of  fault  tree  in  a  different 
major  branch  {such  as  an  interconnection  between  the  P/G  and  DPE 
branches).  It  is  represented  by  the  83mibol  Z  with  a  numerical  sub¬ 
script. 

A  probability  of  failure  which,  though  a  nxunerlcal  value  can  be 
assigned,  is  sufficiently  small  to  be  neglected  in  the  context  shown. 

A  probability  of  failure  which  cannot  be  assigned  a  numerical  value 
but  Is  considered  to  be  exceedingly  small  and  Is  assumed  to  be  zero. 

Figure  7-2.  Fault-Tree  Symbols 
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INTRODUCTION 

The  following  pages  of  this  section  are  reprinted  from  Section  II 
■^hlume  II  of  ohe  cell  Telephone  Laboratories'  Laxmch  Con^^ol 
Safety  Study  dated  September  15,  1962,  It  contains  significant 
mathematical  analysis  applicable  to  probability  computations. 


Boeing  document  page  numbers  are  added  to  facilitate  the  handling 
and  release  of  this  section. 
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Section  n 


DISCUSSION  OF  PROBABILITIES  AND  THEIR  COMBINATION 

The  theory  of  probability  forms  the  basis  for  the  quantitative  aspects  of  this 
study,  and  this  section  documents  the  manner  in  which  probability  theory  was  ap¬ 
plied.  It  is  intended  to  be  neither  a  philosophical  treatise  nor  a  rigorous  mathe¬ 
matical  treatment,  but  rather  a  self-contained  account  of  the  basic  probability  rules 
and  procedures  employed  in  the  program. 

Before  giving  consideration  to  the  development  of  these  rules,  some  cautionary 
remarks  are  in  order  regarding  the  application  of  probability  theory  to  a  real  prob¬ 
lem,  and  the  interpretation  of  the  numbers  resulting  therefrom.  Like  all  mathe¬ 
matical  disciplines,  the  theory  of  probability  is  developed  in  relation  to  specific, 
abstract,  conceptual  models,  and  the  formulas  derived  apply  with  exactness  only  to 
those  models.  In  applying  the  theory  to  the  real  world,  even  a  most  carefully  formu¬ 
lated  model  may  not  be  a  wholly  adequate  represenLation  of  the  real  situation.  The 
degree  of  confidence  in  the  results  must  then  be  tempered  by  objective  estimation  of 
the  disparity  between  model  and  reality.  Because,  however,  the  formulas  may  be 
applied  mechanically,  and  the  results  of  a  probability  analysis,  even  a  poor  one,  are 
usually  expressed  as  definite  numbers,  there  is  a  strong  tendency  to  place  implicit 
laith  in  the  numbers  once  they  are  generated,  forgetting  their  shaky  foundations. 
Thus,  for  example,  the  simple  exponential  failure  model  is  used  for  component  fail¬ 
ure  almost  universally  in  the  study.  While  this  model  is  believed  to  be  a  good  de¬ 
scription  of  device  failure  behavior,  it  is  surely  not  a  complete  one.  Burn-in  and 
wear-out  failures  are  not  Included,  this  simplifying  omission  being  Justified  by  the 
inception  time  and  duration  of  the  oneration  period.  In  other  parts  of  the  analysis, 
probabilities  may  be  combined  in  a  manner  that  is  valid  only  for  events  that  are 
"exhaustive  and  exclusive."  While  attempts  are  made  to  Insure  that  the  proper  con¬ 
ditions  apply  to  the  problem  at  hand,  in  the  actual  combinations  some  overlapping 
may  be  present  that  will  Impair  somewhat  the  validity  of  results.  Moreover,  matii- 
ematical  approximations  are  made  for  convenience  throughout  the  work.  This  should 
not  affect  the  more  significant  figure#  in  the  computations,  but  it  will  have  a  minor 
Impact  on  the  results.  It  must  be  emphasized  that  the  probability  figures  generated 
In  this  study  are  not  sacred  (they  are  not  necessarily  accurate  to  the  two  significant 
figures  in  which  they  are  expressed).  At  the  same  time,  one  must  recognize  their 
utility  In  pinpointing  critical  areas.  It  should  also  be  empl.asized  that  metlculcus 
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care  must  be  taken  in  stating  a  probabilistic  problem  and  in  formulating  the  mathe¬ 
matical  model  so  as  to  minimize  errors  in  the  derived  results. 

.  i.  AN  INTERPRETATION  OF  PROBABILITY  HGURES 

In  connection  with  the  problem  of  interpreting  probability  figures,  it  may  be  use¬ 
ful  to  discuss  an  implicit  meaning  of  a  given  nuir.=';rical  probability  value.  To  illus¬ 
trate,  consider  the  operation  of  the  random  code  model  discussed  in  paragraph  2  of 
Sf-rt'oc  X_  This  nscvdel  is  set  renreseriari're  of  a srsiem  ijehaiior  brh  is,  ri.iber, 
an  artificial  invention  developed  to  help  estimate  a  lower  round  of  system  perform¬ 
ance.  It  assumes  that  an  arbitrary  sequence  of  1*8  and  O’s  is  continuously  being 
generated  at  the  bit  rate.  The  probability  that  a  bit  is  a  0  is  0. 5.  Under  this  con¬ 
dition,  and  assuming  each  new  bit  initiates  an  independent  message .  the  model  gen¬ 
erates  a  56-bit  code  with  probability  of  5.6  x  10”^  for  a  Flight  of  ten  Launch  Facili¬ 
ties  (LF's)  in  ten  years. 

It  is  difficult  to  comprehend  the  magnitude  of  this  number,  let  alone  its  signifi¬ 
cance  in  context.  To  make  both  aspects  more  meaningful.,  the  following  proposition 
in  probability  theory  is  used:  "If  an  event  A  has  probability  p  of  occurring  in  a 
single  trial,  the  most  likely  number  of  occurrences  of  A  in  n  trials  is  np."  Using 
this  proposition,  the  illustrative  probability  figure  can  be  translated  to  other  terms 
as  follows: 

Let  a  trial  for  code  generatic^i  corstitufe  exposure  of  ten  LF's  to  the  random 
model  environment  for  ten  years.  Then,  for  example,  ten  trials  would  mean  any 
one  of  the  following  e:q)0sures:  100  LF’s  for  10  years,  oriO  LF’s  for  100  years, 
or  25  LF's  for  40  years,  or  any  other  ten-fold  scaling  of  tie  product  of  LF-years. 

Now  it  can  be  seen  that  the  above  proposition  applied  to  the  probability  in  the  ex¬ 
ample  implies  that  the  most  llekly  number  of  occurrences  cf  code  generation  will  be 
one  launch  code  when 

1  4 

np  =  1  or  n  =  -  s  2  X  10  trials 

Thus,  the  probability  is  equivalent  to  stating  tha;!  the  most  probable  time  to  a  single 
code  generation  for  a  Flight  of  ten  LF’s  will  be  2  x  10“'  years;  or,  alternatively,  the 
expected  number  of  codes  will  be  one.  in  2  x  10  years.  (If  it  is  assumed  that  a 
Poisson  probability  model  applies,  the  probability  associated  with  this  single  code 
generation  in  2  x  10®  years  can  be  shown  to  be  1/e  =  0.37,  but  it  drops  off  quickly 
to  near-zero  values  in  the  realistic  future,  diminishing  to5. 6  x  10"^  in  ten  years.) 

The  above  is  one  of  several  possible  interpretations  which  may  help  give  a  proba¬ 
bility  value  some  significance  related  to  experience. 

-1^ 
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2.  BACKGROUND  PREPARATORY  TO  COMBINING  PROBABILITIES  IN 
FAULT  TREES 

a.  Basic  Considerations 

This  section  Is  devoted  to  developing  the  background  required  for  deriving  the  re¬ 
lations  expressing  overall  probabilities,  given  the  probabilities  of  component  events 
and  the  manner  in  which  they  are  related  logically  as  prescribed  by  the  fault  tree. 

The  basic  mathematical  doctrine  drawn  upon  here  is  the  set  of  rules  governing  com¬ 
binations  of  inoependent  events.  (Independent  events  are  those  for  which  the  occur¬ 
rence  of  one  does  not  influence  the  occurrence  of  another.)  The  qualification  "inde¬ 
pendent"  is  imposed  not  only  because  of  the  resulting  simplification  but  also  because 
the  Boolean  version  of  the  fault  tree  contains  only  events  that  may  be  regarded  as  in¬ 
dependent,  as  will  be  shown  below. 

For  combining  probabilities  of  two  independent  events  A  and  B,  the  basic  rules  as 
given  by  probability  theory  are: 

1.  The  probability  of  the  occurrence  of  both  A  and  B,  written  in  set  symbology 
P  (A  n  B),  is 

P(AnB)  =  P(A)  •  P(3) 

2,  The  probability  of  the  occurrence  of  either  A  or  B  or  both,  written  ?  (A  u  B), 
is 

P(AU  B)  =  P(A)  +  P(B)  -  P(AnB) 

In  this  case,  since  A  and  B  are  independent,  rule  1  is  used  to  obtain 
P(AUB)  =  P(A)  +  P(B)  -  P(A)  ‘P(B) 
and  note  that  if  both  P(A)  and  P{B)  are  small, 

P(AUB)  =  P(A)  +  P{B) 

This  approximate  result  is  used  throughout  the  sidisequent  development  and 
in  all  computations. 

b.  Composite  Probability  from  Fault  Tree  and  Boolean  Expression 

Turn  now  briefly  to  the  format  of  the  fault  tree  for  an  illustration  of  the  applica- 
tiwi  of  the  probability  rules  thereto  and  the  reason  for  introducing  the  Boolean  con¬ 
cept.  Figure  2-1  shows  a  typical  portion  of  a  tree.  The  labels  on  the  tree  are 
Boolean  functions  which  take  on  the  value  1  when  the  failures  or  malfunctions  exist 
and  the  value  0  otherwise.  The  tree  shows  that  the  joint  occurrence  of  events  A  and 
B  (A  n  B)  constitutes  event  C  which  together  with  D  either  singly  or  jointly  (C  U  D) 
produces  the  e^'ent  E.  Tjius 

E  (C  U  D)  =  (A  n  B)  U  D 
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Figure  2-1.  Portion  of 
Typical  Fault  Tree 


(Strictly  speaking,  E  Is  not  identical  to  the  event 
[(A  n  B)  U  D],  but  rather  E  is  Irnpiled  by,  or  always 
occurs  with,  the  indicated  composite  event. ) 

Another  way  to  express  E  is  in  Boolean  terms: 

E  =  A  •  B  +  D 

The  probability  of  E  may  be  found  from  either  of  the 
above  relationships.  Using  the  first,  together  with 
rules  1  and  2, 

P(E)  =  P[(A  n  B)  U  D] 

=  P(A  n  B)  +  P(D) 

=  P(A)  •  P(B)  +  P(D) 

P(E)  also  follows  directly  from  the  Boolean  expression 
and  suggeslc  that  a  simple,  unifying  approach  to  fault 
probability  determination  may  be  to  write  the  Boolean 
expression  for  the  occurrence  of  an  event  and  then  convert  it  to  a  probability  rela¬ 
tion.  This  approach  also  has  the  virtue  of  avoiding  possible  errors  due  to  common 
events  (a  form  of  dependency),  as  illustrated  by  the  following  example: 

In  Figure  2-2a,  B  is  an  event  which  renders  D  and  E  mutually  dependent.  Ignor¬ 
ing  this  fact  and  mechanically  applying  the  rules  yields 

P{F)  =  P(D)  +  P(E)  =  P(A)  •  P{B)  +  P{B)  +  P(C) 

K,  however,  the  Boolean  representation  is  used, 

F  =  A  .  B  +  (B  +  C) 

=  AB  +  B  +  C 
=  B(A  +  11  +  C 
=  B  +  C 

thus 

P(F)  =  P(B)  V  P(C) 


Figure  2-2a.  Portion 
of  Fault  Tree  with 
Dependent  Events 


This  differs  markedly  from  the  first  ejqiresslon.  The 
latter  is  the  correct  result,  and  it  is  pcxdrayed  in  the 
Boolean  tree  erf  Figure  2-2b.  In  this  form,  all  events 
are  independent.  (Note  that  the  use  of  set  relationships 
could  also  yield  a  correct  result,  but  this  approach  is 
more  unwieldy  and  difficult  to  apply  to  complex  cases. ) 
It  Is  now  evident  that  the  Boolean  approach  is  a  simple 
technique  which  handles  the  problem  of  dependent  events 
(of  the  type  caused  by  a  common  ehjment)  by  yielding  an 
equivalent  format  wherein  all  events  are  Independent. 
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c.  Reliability  Function 

Before  proceeding  to  the  development  of  actual 
composite  event  probablDtles,  it  is  necessary  to  in¬ 
troduce  yet  another  fundamental  relationship  —  the 
reliability  function  used  extensively  throughout  the 
fault-tree  computations.  Because  of  Its  importance 
and  the  degree  to  which  it  is  called  upon  in  tne  sub¬ 
sequent  development,  an  extended  if  nonrigorous 
discussion  of  the  reliability  function,  its  comple¬ 
ment,  and  its  associated  density  functions  is  pre¬ 
sented. 


F 


s  c 


Figure  2- 2b.  Boolean 
Equivalent  d 
Figure  2- 2a 


(1)  Device  Reliability.  Suppose  a  large  set  of  Nq  identical  (with  respect  to  manu¬ 
facture)  devices  is  subjected  to  life  test,  after  having  eliminated  •’burn- in"'  or  early- 
life  failures  of  the  substandard  members.  At  time  t,  Np(t)  devices  have  failed  and 
Ng(t)  survive.  Then  the  reliability  of  the  device,  R(t),  may  be  defined  as  the  proba¬ 
bility  of  a  member's  survival  to  time  t  and  would  be  given  empirically  by  the  ratio 
of  surviving  to  original  members  as  a  function  of  time,  averaged  over  many  such 
life  tests. 


R(t)  = 


N«(t) 


Nn 


No  -  Np(t) 


N, 


0 

Np(t) 

--f- 

Although  Np(t),  and  consequently  R(t),  take  on  only  discrete  values,  it  may  be 
assumed  that  continuous  functions  approximate  them,  and  then 


d  R(t) 
dt 


or 


d 


Ny(t)/ 


dt 


=  -N. 


d  Np(t) 
dt~ 


dRU) 

dt 


Now  d  Np(t)/dt  is  the  failure  rate  at  time  t,  while  jd  Np(t)/dtj  dt  is  the  number  of 
failures  in  the  interval  (t,  t  +  dt).  On  dividing  d  Np(t)/dt  by  Ng(t),  the  failure 
rate  per  surviving  member  is  obtained,  which  is  called  the  hazard  function,  h(t}. 


h(t) 


1 


d  Np(t) 


NR(t)  dt 


-H-  - 
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The  hazard  function  h(t)  is  in  the  nature  of  a  conditional  probability  density  of  time- 
tO'failure,  because 


h(t)  dt  = 


d  Np(t) 


is  the  fraction  of  surviving  members  at  the  start  of  an  interval  (time  t)  which  fail  in 
the  Interval  (t,  t  +  dt). 

(2)  Failure  Density -^unction.  If  d  Np(t)  /dt  is  divided  by  Nq  instead  of  by 
Ng{t),  the  failure  rate  per  original  member,  designated  f(t),  is  obtained  as 

1  ‘iN(t) 

f(t)  =  J - £_ 

No  dt 

This  failure  rate  f(i)  is  also  a  probability  density  function  of  tlme-to-failure,  since 


f(t)  dt  = 


d  Np(t) 
Nn 


represents  the  fraction  of  original  members  that  fail  in  the  interval  (t,  t  +  dt). 

Some  useful  reliability  relationships  can  be  derived  from  these  definitions. 
Starting  with  h(t): 


h(t)  = 


or 


Integrating, 


Since 


1 

d  Np(t) 

Ns(t>  ■ 

dt 

«0 

dR(t) 

-NgU) 

dt 

_ 1_ 

d  R(t) 

~  H(t) 

dt 

f. 


nm  H,  d  R(t) 
h(t)  dt 


h(t)  dt  =  -In  R(t)  +  k 


N  (0) 

m)  =  =  1 
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# 

\ 


then  k  =  0,  and 


I 


R<t)  =  e 


dt 


If  h(t)  is  assumed  to  be  constant,  a  condition  closely  -ealized  In  life  testing  ex¬ 
perience,  and  h(t)  =  X  is  called  simply  the  failure  rate,  the  R(t)  =  e”^^  is  the  relia¬ 
bility  function  giving  the  probability  of  member  survival  to  time  t.  {It  is  assumed 
that  the  device  is  not  operated  lor^  enough  to  exceed  the  constant  X  range.) 


The  probability  that  the  device  will  have  failed  by  time  t  is  the  complementary 
function  Q(t),  where 


Q(t)  =  1  -  R(t) 


=  1  -  e 


-xt 


This  is  the  expression  used  to  evaluate  the  fault-tree  "circles"  (basic  circuit  fail¬ 
ures).  To  illustrate  its  use,  suppose  that  a  device  failure  rate  X  =  250  failures  per 
10^  hours,  and  t  =  30,000  hours.  Then 

Q  =  1  -  e“^* 

=  1  -  I  +  Xt  -  I  X^t^  +  . . . 
e  Xt 


If  higher  order  terras  may  be  neglected  (the  usual  situation  in  this  study). 


.*.  Q  = 


~  X  30,000  =  0.0075 
10^ 


An  Interpretation  of  this  result  (as  indicated  in  paragraph  1)  is  that  if  10, 000  such 
circuits  were  run  for  30,000  hours  each,  about  75  failures  could  be  e^qpected  among 
them. 


Returning  now  to  f(t). 


f(t)  = 


.-.  at) 


1  dNp(t) 

Nq  dt 

dR(t) 

dt 


e 


-Xt 
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f 


On  integrating  f(t). 


=  (1  -  e'^t)  + 

=  Q{t)  +  R(t) 

=  1 


The  preceding  states  that  Q(t),  the  probability  of  failure  by  time  t,  may  be  found 
by  Integrating  the  density  function  from  0  to  t;  the  graphical  significance  is  shown 
in  Figure  2-3a. 


To  obtain  the  probability  of  failure  In  some  crucial  interval  subsequent  to  0,  say 
(tj,  t2),  f(t)  must  be  Integrated  over  that  interval: 


where 


-XU  -XU 
=  e  ^  -  e  ^ 

-Xt.  -X(t-+T) 
» e  -  e  * 


Q(tj,  tj)  =  R(tj)  •  Q(t) 

4 


»  •  <2  -  ‘l 


This  result  states  that  the  failure  probability  in  an  Interval  of  length  t  starting 
at  tj  Is  equal  to  the  probability  that  the  device  has  survived  to  time  tj,  multiplied  by 
the  probability  of  failure  in  an  Interval  of  length  t  which  starts  at  0.  The  graphical 
Interpretation  of  Q{tj,  t^)  is  shown  in  Figure  2-3b. 
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Figure  2-3a.  Graphical  Significance  of  Q{t)  and  R(t) 


Figure  2-3b.  Graphical  Significance  of  Q(t^,  12) 


One  additional  fact  is  drawn  from  f(t).  Since  f(t)  is  a  prooabillty  density  of  time 
to-failure  (which  is  to  say  that  there  is  a  time  distribution  of  failure  probability 
densities),  it  is  in  order  to  Inquire  which  value  of  t  is  the  mean  of  this  distribution. 
The  answer  is  found  by  "weighting"  each  value  of  t  with  its  associated  density  and 
integrating  over  all  t: 


•'0 

r  tX  e-^‘  dt 

Jf\ 


m.  =  /  t  •  f(t)  dt 
■'0 
m90 


1 

B  — 

•  X 


-Vh 
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Thus,  (or  the  constant  hazard  function. 


That  Is,  the  raean-time-between-failure  (MTBF)  is  the  reciprocal  of  the  failure  rate. 

In  the  following  work,  m  and  1/X  are  used  interchangeably  as  convenience  dic¬ 
tates. 

3.  COMPOSITE  FAILURE  PROBABILITY  UNDER  SPECIHC  CONDITIONS 

With  the  background  of  paragraph  2,  the  main  objective  of  this  section  may  be 
undertaken  —  the  derivation  of  relationships  for  composite  probability  of  failure 
under  specific  conditions  prescribed  by  the  fault  trees.  (Note  that  rules  are  not  de¬ 
veloped  here  for  determining  circuit  failure  from  probabilities  of  component  failure. 
This  aspect  is  dealt  with  in  Sections  VII  and  Vni. ) 

In  the  following  discussion  the  fault  detection  feature  associated  with  some 
events  Is  at  once  the  significant  element  in  the  composite  event  and  the  complicating 
part  of  the  analysis.  Fault  detection  enters  the  analysis  by  prescribing  a  necessary 
sequence  or  order  of  failures  if  the  composite  event  is  to  occur.  It  enters  the  physi¬ 
cal  system  through  the  alarm  and  status  features,  as  well  as  through  test  modes. 

One  starts  with  two  events,  A  and  B,  which  are  independent  failure  conditions 
having  constant  failure  rates  X^,  Xg  or,  alternatively,  MTBF's  m^,  respec¬ 
tively.  The  composite  event  of  Interest  is  the  combination  of  A  and  B  in  an  AND 
Gate  under  various  conditions,  resulting  in  event  F.  (In  Boolean  terms,  F  =  A  •  B. ) 
Required  is  the  probability  P(F)  that  F  occurs  under  the  following  different  circum¬ 
stances; 

CASE  1.  Neither  A  nor  B  is  subject  to  detection  throughout  tl;2  entire  operation 
period  Tq. 

Solution:  This  is  the  case  that  applies  to  the  bulk  of  the  computations.  Since  A 
and  B  are  independent, 

P(F)  =  P(A)  •  P(B) 

=  (l  -  (l  - 

-  ^a'^0  ^8*^0 


-FB- 
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CASE  n.  Condition  A  triggers  a  detection  alarm  and  is  corrected  immediately 
on  occurrence.  B  is  not  subject  to  detection. 

Solution:  Under  the  given  hypothesis,  the  only  way  for  F  to  occur  is  to  have  B 
precede  a”  since  If  A  precedes  B,  A  is  always  corrected  and  the  two  events  can 
never  coexist  (neglecting  precisely  simultaneous  failures).  An  implicit  order  con 
dition  is  thus  imposed  by  the  detection  feature. 


First  express  the  probability  that  B  occurs  in  the  differential  interval  dt  which 
starts  at  t  and  is  followed  by  the  occurrence  of  A  in  the  interval  (t,  Tq),  given  that 
A  has  not  occurred  up  to  t: 


■  -(To  - 

1  -  e 


Since  F  will  result  if  the  above  compound  event  occurs  for  any  t  in  (0,  Tq),  P(F) 
is  obtained  by  integrating  over  t  in  the  overall  interval: 


If  ra^  =  mg  =  m. 


P(F)  =  -e 


-t/m 


-To/m 


m 


To/m  Tq  -To/m 

=  1  -  e  - e 

m 


To\  -V” 


Preserving  only  first  and  second  order  exponential  terms. 


P(F)  St 


O 

2m‘' 


-5^ 
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'  ■  ■  • 


¥- 


-i 


■r: 


U  «  mg 


«« - 1 


.V.3  .-V-A 

‘"a“'b 

“B 

a 

la 

.-V®E  “a 

C-V". 

“b'*"a 


(mg  -  m^)/(m^m0)jt 


This  its  the  exact  expression  (or  the  general  case.  On  expanding  the  exponentials  to 
second  order  terms. 


P<F)  a 


CoBcpating  this  result  with  the  approximation  In  Case  1,  one  notes  that  the  In¬ 
stantaneous  detection  feature  ha?  decreased  the  failure  probability  to  hall  the  un¬ 
checked  value.  This  aspect  Is  discussed  more  lully  later. 

In  addition  to  the  alarm  detection  situation  specified  In  the  hypothesis,  Case  H 
also  applies  to  the  following-  Suppose  D  H  the  failure  of  an  enable  Input  to  a  gate. 

A  Is  a  sporadic  pulse  whose  rise  (or  fall)  In  cui<|u.-i<.:ion  with  B  results  In  F.  Be¬ 
fore  the  occurrence  ol  B  (the  persistent  change  ol  state)  the  appearance  o(  A  (a  spo¬ 
radic  pul.se)  has  no  effect  and  Is  equ!V.\leat  lu  (allure  and  Immediate  correction 
But  once  B  has  occurred,  the  reappeatame  ol  A  give?  F 

CASE  lla.  F  results  only  if  B  occurs  before  A  in  (0,  T^j),  but  neither  Is  subject 
to  detection. 

Solution:  This  case  l.s  stinuar  to  Cast  n  in  .h.il  .tn  order  o-ndltlon  Is  Imposed. 
(Her*  II  Is  explicit  )  It  differs  from  C.ise  II  In  that  absence  of  falluie  'Utectlcn  re¬ 
quires  P(F)  to  Include  an  addltioiul  (actor  lor  'he  probability  that  A  ius  not  occurieu 
up  to  the  time  B  occurs.  (In  Case  U,  this  l.iclor  Is  unity  by  virtue  ol  the  instantane¬ 
ous  detection  and  correction  condition.)  Ther.  fort,  the  e-<presslon  wanted  Is  (or 
the  probability  o(  the  event,  "B  occur,!  in  the  dllIrrenUal  Interval  dt  starting  at  t, 

A  has  net  occurred  up  to  I,  A  occurs  in  (t,  Tjj)” 

Pl]D(dt)]  •  r[A(l)]-  p[AiTg  -  1)]  A-  e  dt  •  e  |l  -  e'^^^  ' 


=.,*l 


I 


/ 


c 


c 


'  c 


As  b«for*,  T  wlU  result  If  this  compound  evunt  occurs  for  any  t  in  (0,T^. 
U  obtained  by  In'.egratlon: 

rT« 


P(F) 


Jq 

■-/"B  r  ■'/«A  .  ,-V"Aj  „ 


“A*®B 


*V“a 

♦  6  0 


lA _  _  e'P“A  *  “B^'^®A'”aFci|  ,  |^,  .  ^■‘’‘(/“Bj 

“b  -p'"A*“B''/"’A“a]'^0  -V^A 


“a  *  ®b  “a  *  “b 


This  Is  the  exact  expression  In  the  general  case.  11  •  to, 

P(F) 


'l  1  -2V®  -V“ 


Again  neglecting  exponential  terms  above  the  second  degree. 


P(F)  » 


7m^ 


This  result  Is  the  aame  as  In  Case  n. 


tf  one  now  approximates  P(F)  when  by  preserving  terms  only  up  to  the 

second  order,  one  again  obtains 


iHr)* 


*“a“b 


as  to  Case  n.  Apparently  the  order  condition  alone  has  reduced  the  probability  of 
failure  by  one  half. 

CASE  ni.  The  system  Is  examined  for  the  occurrence  of  A  at  discrete  times 
Tj,  8Tj,  ...f  nTj  ■  Tq.  If  A  has  occurred,  corrective  action  la  taken  to  replace 

■o,  112:^07-1 


,  awp2 


Aeo.  Page  15 


tas  fiuhira  at  th«  •od  of  tho  IntorYal  in  which  it  occurred.  B'a  occurrence  ie  not 
aspect  to  deteetton  throughout  (0,  Tq). 

gotntloo;  Thla  case  Introduces  the  effect  of  periodic  testing  of  one  critical  ele- 
Beat  in  the  logical  AND  gate.  In  the  actual  sratem,  could  correspond  to  the 
dally  Sensitive  Command  Network  Test  (SCNT)  or  the  monthly  TEST. 

F  will  occur  if  both  A  and  B  coexist  at  any  time.  Because  B's  failure  Is  persist 
ent,  while  A‘s  lasts  only  for  the  balance  of  the  interval  In  which  It  occurs,  P  is  the 
event  ”B  falls  In  an  interval,  and  A  falls  In  the  same  or  a  subsequent  interval." 

Tq)]  -  p[b(0,  Tj)]  •  pJiA(0.  Tq)] 


p[b(0,  Tj)]  •  pJiA(0.  Tq)] 

♦  pfB(Tj.  2Tj)J  •  p[a{Tj.  Tjjl] 

♦  p[b<2T,,  STj)]  •  p[a(2Tj,  T, 


I.  ■  I'  t  j  I.  1-  irj 

♦  ...  a.  p{B[{n  -  1)  Tj.  nTj  ]}•  p{A[(n  -  1)  Tj,  nTj]} 

But 

PptUTj,  nTj)]  -  1  -  {p[a(0,  Tj)]}“  * 

The  probability  that  A  occurs  In  at  least  one  of  (n  -  1)  Intervals  Is  the  complement 
of  the  probability  that  It  falls  to  nccur  In  all  ol  them. 

...  p[f(o.  Tjj)]  -  p[b(o.  Tj)]  {l  -  P"fA(;)l}  t  p[b(Tj.  2T,)]  {l  .  P"**  fA(I)]j 
♦  ...  ♦  p[B(n  -  1)  Tj,  nT.J  {l  -  P(A(l)j} 

where 

P(A(0J  »  p[a(0,  Tj)] 

Now 

pfe^lTj.  (!  ^  IJ  Tj]  -  e  h  - 

and 

jl  -  P*  ■  *  (AOll)  .  1  .  .'***“  ' 

pK  t,,]  .  [. .  .“«"■]  "g  [. . V"  - 
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*■  1-0 

*  .  A 


h  -XnT 


-XnT,  -inT.  .X{nW)Tj 
'  -XnT.  -X(a  +  ^^1 

-  1  -  (n  ♦  1)  e  ♦ 

Prwnrrlng  only  ««»  nnd  »«cond  order  terms 

p[f(0.  To5  <r  -y^  n(n  ♦  i) 

A«»ln  the  •Itnllarlty  to  Ose  n  ta  noted. 


2  *A  " 


?[r(o.  Tq)]  -  (1  -  r)  S  S 

L  1.0  1-0 

-<•-'>  [Hr] 


Tb*  Ntult  hu  boaa  espressed  In  this  form  to  exhibit  the  remarkable  symmetry 
U  r  and  a  or,  equivalently.  In  end  X^.  This  means  tJuit,  it  and  Xg  are  Inter- 
chaf:se<ta  I***  composite  failure  probability  Is  not  changed.  Thus,  If  A  has  an  JJTBF 
of  10~  hours  while  B  has  an  MTB?  of  10®  hours,  the  probability  of  P  Is  exactly  the 
same  as  if  these  attributes  were  reversed.  An  even  more  surprising  Interpretation 
of  the  symmetry  Is  that  the  probability  of  ccmposlte  failure  Is  the  same  whether  one 
diecks  the  more  reliable  or  the  lens  reliable  device  at  the  periodic  Intervals!  This 
tact  may  have  significant  imptlcatlons  on  maintenance  procedures. 

For  use  In  computations,  p[p(0,  Tq)]  Is  expressed  as 


p[f(0,  Tq)]  .  1^1  -  e 


1  -  e 


.XgnT, 


l-e 


'*B'^t 


I  -  e 


'^^B  ■  ^A^"^l 


l-e 


-(Xb  -  X^)Tj 


Once  again  the  approximate  expression  retaining  squared  terms  only  Is 

p[r(0.  To)]  »  I  *A  *b  ^  .  [l  .  i]  Xg 


This  result  tells  how  much  protection  Is  achlevoa  by  checking  one  devico  n  times 
In  the  Inlerva!  (0,  Tq).  In  particular.  If  there  Is  no  chocking  (n  «  1), 

_a 

p[f(O.To)]  “0*»)-r*A*B-’^*A*B 

&a  In  Caw  1,  and  the  probability  of  composite  failure  13  twice  as  great  as  In  the  case 
Of  Instantaneous  checking  (Case  B).  (The  Case  U  result  also  follows  by  putting  n  -  «> 
In  the  above  approximation  for  P(Fj.)  If  a  check  Is  made  once  at  the  midpoint  cf 
(0,  Tjj)  so  that  n  “  2,  the  probability  of  F  is  reduced  by  25  percent  from  the  no- 
ebsek  condition.  Nino  checks  (n  •  10)  give  s  45  percent  reduction  of  the  probability 
of  f  from  the  no-check  case.  With  100  checks,  the  probability  of  F  Is  practically 
as  low  as  In  the  Case  U  condition.  Thus  Case  ID  i.iclndes  Cases  t  and  D  as  special 
cases. 
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